A new year means it’s time to look back on the eventful data privacy sector from 2023 and look forward to predicting what 2024 might bring.
As usual, our expert team follows these developments to ensure we can help your business thrive in complete compliance.
Let’s reflect on what happened in 2023 and see how we can help you prepare for the events 2024 will bring.
A Look Back at Data Privacy in 2023
2023 was quite the ride — we hope you’re as excited as we are to see how data privacy thrived last year.
The industry experienced several changes, with new laws and regulations making headlines nearly every month, but let’s focus on the following:
- New US privacy laws were voted in, and others have been enacted.
- The EU-US Data Privacy Framework was adopted.
- EU institutions finally reached an agreement on the EU AI Act.
- Google’s alternatives to third-party cookie tracking made their apparition in Chrome browsers.
US Data Privacy Laws from 2023
In 2023, five US states had data privacy laws enter into effect — several others passed new comprehensive laws for the first time.
Previously, the California Consumer Privacy Act (CCPA) was the primary US privacy regulation.
But this year, businesses had to be mindful of several new regulatory requirements, including:
- California Privacy Rights Act (CPRA) — effective Jan. 1, 2023
- Colorado Privacy Act (CPA) — effective Jul. 1, 2023
- Virginia Consumer Data Protection Act (VCDPA) — effective Jan. 1, 2023
- Utah Consumer Privacy Act (UCPA) — effective Dec. 31, 2023
- Connecticut Data Privacy Act (CTDPA) — effective Jul. 1, 2023
With these five new state privacy laws, privacy professionals have had a lot on their plate this year, and this trend will continue in 2024.
EU-US Data Privacy Framework
On Jul. 10, 2023, the new EU-US Data Privacy Framework was adopted by the European Commission to improve transatlantic data flows.
With this adequacy decision, companies can now rely on this framework to send data from the European Union (EU) to the U.S.
The new EU-US Data Privacy Framework highlights how the EU and the U.S. aim to improve the protection of personal information transiting between these two regions.
Businesses must self-certify to fulfill the data protection measures outlined by the program, which includes fully complying with the General Data Protection Regulation (GDPR).
The framework replaced Privacy Shield, which was invalidated by a case brought to court by Austrian lawyer and data privacy advocate Maximillian Schrems.
EU Data Privacy Laws from 2023
The EU was also active in 2023 in terms of privacy laws.
Thanks to the GDPR and the ePrivacy Directive, the EU was already a key actor in shaping the privacy world.
But over the past year, we’ve seen significant new developments on this side of the Atlantic.
EU AI Act
On Dec. 9, 2023, AI regulation passed an important milestone in Europe.
The European Parliament announced it had reached a political agreement with the Council of the European Union on the Artificial Intelligence Act proposed by the European Commission.
Until now, EU institutions have been discussing and negotiating the main rules that would structure the development and use of AI, particularly concerning the right to privacy.
With an agreement reached, the EU AI Act is one step closer to being voted into law.
It would be the first law to regulate AI and includes provisions in the following key areas:
- It bans using AI for certain applications, such as social scoring, untargeted scraping of facial images from the internet or camera footage to create facial recognition databases, or manipulating human behavior.
- It provides certain exemptions and safeguard requirements for using AI applied by law enforcement.
- It defines and draws obligations for high-risk AI systems.
- It provides rules for general AI systems.
- It would create a governance system around AI, with EU institutions able to enforce sanctions and maximum penalties of up to €35 million or 7% of a business’s annual global turnover.
If approved, the EU AI Act would become applicable two years after entering into force, with some exceptions:
- Prohibitions of certain applications would be applicable six months after entry into force.
- Requirements for general AI systems (not high-risk) would apply after 12 months.
Digital Markets Act (DMA)
In May 2023, the EU’s Digital Markets Act (DMA) was enacted.
The DMA passed into law in September 2022 and aims to regulate digital platforms with significant market power, such as Google and Facebook.
The Digital Markets Act regulates core platform services, including:
- Online search engines like Google
- Social networks like Facebook
- Web browsers
- Video-sharing platforms
- Other essential services that shape the online world
It applies to companies that provide core platform services in the EU and that meet the three criteria below:
- Have an annual turnover in the European Union of €7.5 billion over the last three financial years
- Have at least 45 million active end users in the European Union and at least 10,000 active business users established in the European Union;
- Meets the second criterion for the last three years
As of September 2023, the European Commission designated the following companies as gatekeepers or core platform services that must follow the DMA:
- Alphabet
- Amazon
- Apple
- ByteDance
- Meta
- Microsoft
The DMA impacts small-to-medium-sized businesses (SMBs) that use these services in the following ways:
- Core platform services must allow businesses to promote their products or services through third-party online services or their direct channels, even if the pricing differs from the gatekeeper’s.
- Core platform services must allow business users and end users to raise non-compliance issues with legal authorities.
- Core platform services offering advertising services must provide certain information to business users, such as the price and fees.
- Core platform services cannot rank their own products or services higher than others in online searches.
- Provide businesses with access to their data.
Overall, the DMA is strengthening the consent requirements to ensure individuals don’t suffer from the imbalance of power and technology with these platforms.
It also gives SMBs fairer opportunities regarding advertising.
The Deprecation of Third-Party Cookies
In 2023, Google confirmed the long-awaited dates for gradually phasing out third-party cookies.
Although third-party cookies were still active in 2023, Chrome has been providing new controls to its users to prepare for the disappearance of third-party cookies in 2024.
Google’s Privacy Sandbox functionalities — the initiatives that will replace third-party cookies with more privacy-friendly technologies for advertising and marketing — reached general availability in the Chrome browser.
The Advent of Generative AI
Data privacy in 2023 wouldn’t have been the same without the massive apparition of AI tools — particularly generative AI tools.
- In 2022, we witnessed groundbreaking advancements with AI that pushed data privacy to new boundaries.
- In 2023, improved algorithms and models enabled AI systems to generate content that surpassed humans in many aspects.
An important effect of the advent of generative AI has been the massive increase in the use of personal data to train AI models, bringing new challenges for businesses using AI.
As AI has become more available and complex, it’s hard for businesses to understand to what extent they need to comply with privacy laws, often ending up with AI technologies they don’t necessarily understand.
A Look Ahead at Data Privacy in 2024
We’re early into 2024, and data privacy is already looking promising — we’re more than excited to continue helping customers achieve compliance and are ready to support you with:
- New U.S. state laws entering into effect
- Google requires Ad Publishers to use CMPs that support the IAB EU’s Transparency & Consent Framework v2.2
- More laws impact when websites must recognize universal opt-out mechanisms (UooMs)
Our teams closely monitor all these new developments in data privacy, so let’s see how they may affect your compliance.
New US State Laws Take Effect
First, three U.S. state privacy laws are scheduled to be enacted before the end of 2024.
Florida Digital Bill of Rights (FDBR)
On Jul. 1, 2024, the Florida Digital Bill of Rights (FDBR) will become effective.
The FDBR introduces many new vital changes to privacy requirements for businesses in Florida or businesses that provide goods and services to state residents.
Some of the most notable obligations include:
- Controller requirements for processing personal data
- Data Protection Impact Assessments (DPIAs)
- Contractual obligations regarding third-party processors
- Guidelines surrounding children’s data
The FDBR also introduces new consumer rights, including the right to:
- Confirm if a controller is processing their personal data, and access to that data
- Correct inaccuracies in their personal data
- Delete any or all of the personal data provided by or obtained about the consumer
- Obtain a copy of their data in a portable format and, where available, in a digital format
- Opt-out of targeted advertising, profiling, and sale of their personal data
- Opt-out of the collection of sensitive personal data, including precise geolocation and the processing of sensitive data
- Opt-out of the collection of personal data through a voice or facial-recognition feature
Businesses that fall under the scope of the FDBR must adapt to these requirements, for example, by implementing a compliant cookie banner and a DSAR form.
Oregon Consumer Privacy Act (OCPA)
Oregon’s data privacy law, the Oregon Consumer Privacy Act (OCPA), will enter into force on Jul. 1, 2024.
Similarly to other US privacy laws, the OCPA applies to businesses located in Oregon or that provide products or services to state residents.
In addition, businesses need to meet one of these two thresholds:
- The business processes the personal data of 100,000 or more consumers in a calendar year, other than personal data processed solely for the purpose of completing a payment transaction.
- The business processes the personal data of 25,000 or more consumers in a calendar year while deriving 25% or more of the annual gross revenue from selling personal data.
The OCPA also regulates how businesses can use consumer personal data, including:
- Legal basis for processing personal information
- Personal data and security obligations
- Contractual obligations with third-party processors
- Data protection assessments
- Recognition of universal opt-out mechanisms (UOOMs)
Additionally, the OCPA requires opt-in consent from consumers for any processing of personal data that is not “adequate, relevant, and reasonably necessary” and for processing sensitive personal data.
Montana Consumer Data Privacy Act (MCDPA)
The Montana Consumer Data Privacy Act (MCDPA) will come into force on Oct. 1, 2024.
The MCDPA applies to businesses operating in Montana or whose products and services target residents in this state.
Additionally, the business should meet one of the following thresholds:
- Controls or processes the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction
- Controls or processes the personal data of no less than 25,000 consumers and derives more than 25% of their gross annual revenue from the sale of personal data
The MCPDA introduces new requirements on how businesses should use personal data, and its main areas of compliance cover:
- Controller guidelines for processing data
- Data protection assessments
- Contractual obligations with third-party processors
- De-identified and pseudonymous data obligations
- Recognition of universal opt-out mechanisms (UOOMs)
The MCPDA also requires businesses to obtain consent from customers in some instances.
The Act states that a business should obtain consent when it plans to process personal data for purposes that are not reasonably necessary or incompatible with the purposes the business discloses in its privacy policy.
In this case, the consent model required by the MCPDA is opt-in consent, i.e., a clear, affirmative action that is not implied.
Google, Ad Publishers, and CMPs that Support the IAB EU’s Transparency & Consent Framework v2.2
As of Jan. 16, 2024, Google requires ad publishers — i.e., businesses serving ads on their websites — to users in the EEA and the UK to use a Consent Management Platform (CMP) certified to meet the specifications of the Transparency and Consent Framework v2.2 (TCF)
The European branch of the Interactive Advertising Bureau (IAB) created the TCF to help businesses respect EU privacy laws.
Many businesses process their users’ personal information to create personalized content and enhance digital advertising.
So, the TCF is a voluntary framework that businesses can implement to assist with serving digital ads to EU users while honoring laws like the GDPR and ePrivacy Directive.
Laws Impacting Universal Opt-Out Mechanisms (UOOMs)
An important trend to note in 2024 is the development of U.S. state laws of requirements on universal opt-out mechanisms (UOOMs).
Universal opt-out mechanisms, like Global Privacy Control (GPC), automatically let consumers communicate opt-out preferences on their browsers.
Businesses that fall under California and Colorado consumer privacy laws must start honoring UOOMs in 2024.
But several other new state laws will also require businesses to recognize browser extensions and global privacy device settings as consumers’ designated, authorized agents concerning their privacy rights.
Here is the list of states that passed laws including UOOM requirements and the date of entry into force:
- Montana Consumer Data Privacy Act (MCDPA) — Jan. 1, 2025
- Texas Data Privacy and Security Act (TDPSA) — Jan. 1, 2025
- Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) — Jan. 1, 2025
- Oregon Consumer Privacy Act (OCPA) — Jan. 1, 2026
- Delaware Personal Data Privacy Act (DPDPA) — Feb. 1, 2026
California UOOM Requirements
Since Jan. 1, 2023, through amendments made to the CCPA by the Californian Privacy Rights Act (CPRA), California’s privacy law has recognized universal consent signals as a valid form of consent.
As defined, opt-out preference signals are sent with the consumer’s consent by a platform, technology, or mechanism.
They are a valid method for consumers to indicate their consent to a business.
Colorado UOOM Requirements
The Colorado Privacy Act (CPA) was signed into law by Colorado Governor Jared Polis on Jul. 7, 2021 — its effective date was Jul. 1, 2023.
However, the Colorado Attorney General is expected to provide technical requirements for a universal opt-out mechanism by Jul. 1, 2024.
The universal opt-out mechanism will allow consumers to exercise all opt-out rights from their browser or other platforms, meeting the technical requirements.
The global opt-out should apply to both sales of data as well as targeted advertising.
Predictions for Data Privacy in 2024
Our new year resolution for 2024 is to give you the best services, and our experts are at it again with important predictions for you:
- A Cookieless World
- The first AI regulation in the EU
This Is the Year Cookies Go Away
Google’s long-awaited Cookiepocalypse is coming to fruition in 2024, with Chrome stopping the support of third-party cookies.
Indeed, the tech giant announced that as of Jan. 4, 2023, Chrome had started restricting third-party cookies by default for 1% of Chrome browsers.
The plan is to ramp up to 100% of users in Q3 2024.
The deprecation of third-party cookies is closely related to the recent implementation of Google’s Privacy Sandbox, an initiative that aims to replace tracking cookies with more privacy-friendly technologies.
The EU AI Act Is Signed into Law
On Dec. 9, 2023, the European Union’s institutions reached an agreement on the proposal for harmonized rules on artificial intelligence (AI), the so-called EU AI Act.
The draft regulation aims to ensure that AI systems placed on the European market and used in the EU are safe and respect privacy and fundamental rights.
The Act is in a good position to be the first to regulate AI technology, which is reshaping our lifestyles and work dynamics but also potentially reshaping our understanding of human rights.
Other AI regulations are likely to follow, and the close link between AI and privacy will make this all the more important for businesses to stay ahead of the privacy game.
The next steps will likely be completed soon, with each member state currently reviewing the proposal for endorsement.
If the EU AI Act is voted into law in 2024, its entry into force would be in 2026, with some exceptions for specific provisions.
Termly’s Plans for 2024
As your business needs to thrive in this ever-evolving digital world, our privacy experts and product engineers work tirelessly to update our suite of compliance solutions to help you stay on the right side of the law.
Here’s what you can expect from Termly in 2024:
Summary
As we step into 2024, it’s quite exciting to see that data privacy is continuing to adapt to the development of the tech world.
AI, the end of cookies, and new laws are the main challenges businesses face regarding privacy compliance. Businesses must proactively adjust for impending privacy law changes to keep a competitive edge.
At Termly, we advocate for businesses to embrace a privacy-centric approach, acknowledging users’ privacy as a crucial point to foster their activity.
Rest assured, we’re watching how these new developments may affect your business in 2024.
