2023 Data Privacy Law Predictions and Trends
Will 2023 be the year the United States finally gains an all-encompassing federal law governing data protection and privacy like the European Union’s broad-reaching GDPR?
The short answer: it’s hard to tell.
While the proposed bill for an American Data Privacy Protection Act (ADPPA) easily passed a congress vote in August 2022, it stalled before the close of federal government business in December. Industry experts predict a federal privacy law may be one or more years away. It is expected to be brought before congress again in 2023.
However, businesses in the U.S. already need to adjust their privacy stances further to comply with five new state privacy laws that take effect in 2023:
- California Privacy Rights Act (an amendment to the California Consumer Privacy Act) – effective from January 1, 2023, enforceable from July 1, 2023
- Virginia Consumer Data Protection Act – effective from January 1, 2023
- Colorado Privacy Act – effective from July 1, 2023
- Connecticut Data Privacy Act – effective from July 1, 2023
- Utah Consumer Privacy Act – effective from December 31, 2023.
Consumer privacy rights covered by these state privacy laws generally include:
- The right to opt in or opt out of collection and use of personal data for certain purposes
- Restrictions on how much personal information can be collected (businesses should only collect data needed to help provide services)
- Non-discrimination for exercising data privacy rights
- The right to know what personal data is collected, why it is collected, how it is used and whether a business sells the personal data it collects
- The right to request access to personal data collected and request it be deleted.
In mid-December 2022, TrustArc’s CEO Chris Babel hosted an industry panel discussion about the implications of these new state laws and predictions for data privacy law in 2023. The panel of privacy industry experts included:
- Caitlin Fennessy, VP & Chief Knowledge Officer, IAPP
- Michael Lin, Chief Product Officer, TrustArc
- Hilary Wandall, Chief Ethics and Compliance Officer, Dun & Bradstreet.
Below is a summary of the industry experts’ discussion, including insights on current and upcoming compliance challenges for businesses that collect personal data from consumers.
Several State Privacy Law Updates Expected in 2023
Last year was an incredibly busy time in the state privacy law landscape, with 60 detailed consumer privacy bills considered by lawmakers across 29 states – more than double the 29 consumer privacy bills considered in 2021.
Five states considered comprehensive consumer privacy bills for the first time: Georgia, Indiana, Maine, Michigan and Vermont.
“We will see several more adopted in 2023 and certainly several more before we see a federal privacy law in the U.S.,” predicts Fennessy.
At the same time, she’s hopeful we won’t see 50 different state consumer privacy laws introduced before a federal privacy law is enacted:
“I’m less bullish about the ADPPA now than in 2022 because it was a bit crushing to see the law stall, but I absolutely think a federal consumer privacy law will happen.”
Laws Governing International Data Transfers
On December 13, 2022, the European Commission announced it has started the process to adopt an adequacy decision for the EU–U.S. Data Privacy Framework. Chris Babel notes managing compliance for trans-Atlantic data transfers has been a huge concern for organizations surveyed by TrustArc over the last few years.
He says businesses in the U.S. are facing more uncertainty on trans-Atlantic data transfers, because an update on the Schrems decision will go to the European Data Protection Board and the European Parliament in 2023.
“It will work its way through to member states and I think it will be adopted,” says Fennessy. “Then the question is: does it stand in the trans-Atlantic space? And I think it has to.
“Now there’s the Declaration on Government Access to Personal Data held by Private Sector Entities, adopted on December 14, 2022, which has been years in the making. The whole impetus for the Organization for Economic Co-operation and Development (OECD) was to… rally around a principled, like-minded state, recognizing there are other regimes that don’t follow the rule of law and to address this issue.”
There is also debate whether organizations will experience bigger challenges with data transfer compliance outside the trans-Atlantic context (EU–U.S.) in 2023 than within the trans-Atlantic context.
Trans-Pacific transfers, for example, will demand more focus, notes Wandall. She predicts tougher security and privacy rules for data transfers into and out of China, in particular.
“There’s so much that has been happening in China over the last year and a half,” she says.
“We’re experiencing how China’s approach to personal information protection and broader data compliance is driving a lot of the thinking around privacy and broader management of data compliance programs.”
Increased Scrutiny of Technology Security in the U.S.
There is no doubt among our panellists that the security of data collection technologies used by organizations will be intensely scrutinized in 2023.
Indeed, the expectation for organizations to ensure data security was highlighted in the summary of the American Data Privacy and Protection Act when it was introduced on June 21, 2022. It stated:
“Companies must implement security practices to protect and secure personal data against unauthorized access, and the Federal Trade Commission (FTC) may issue regulations for complying with this requirement. The bill provides for enforcement of these requirements by the FTC and state attorneys general. Beginning four years after the bill’s enactment, individuals may, subject to certain notification requirements, bring civil actions for violations of the bill.”
Wandall says none of this should come as a surprise: existing state and international data privacy laws all contain wording about the need for organizations to “use reasonable safeguards to secure personal data”.
As more companies implement increasingly sophisticated data collection technologies, consumers’ privacy concerns will continue to grow.
The good news is we can expect to see privacy risks better managed, says Wandall. “The regulation of technology infrastructure and privacy rules are beginning to come together in a much more comprehensive way in 2023.”
TrustArc’s Chief Product Officer Michael Lin is also optimistic about improved technology infrastructure security. He reports:
“Some of the technology solutions in the market are really starting to hit the mark by helping organizations automate the security and privacy work. I think we’ll see great advancements in the technology space, with more automation to streamline critical processes and deliver better security and more value.”
The U.S. Needs a Strong Federal Privacy Law
The privacy experts are less optimistic about a federal privacy law passing in 2023. They all express frustration with how many businesses and rule makers in the U.S. seem to struggle with the concept of privacy regulation.
“I wonder whether the FTC’s rulemaking might cause people to finally recognize we need federal privacy legislation and for the rules to be enforceable in the right way,” says Wandall.
“My fear is that if we do not enact something that sets a baseline for protection of privacy and data at the federal level, that it’s just going to continue to cause us challenges in being able to operate effectively in a global economy.
“Data is the heart of how everyone gets things done these days and it is so incredibly difficult to move data all over the world.”
Fennessy agrees, pointing to concerns raised by European Commissioner Reynders during a press statement on December 15, 2022, when he gave an update on the EU–U.S. Data Privacy Framework:
“While further work is still needed on both sides of the Atlantic, we look forward to the upcoming future when EU and U.S. companies and prosecutors will be able to rely on strong procedural safeguards for their transfers of personal data and electronic evidence across the Atlantic.”
Reynders’ statement touches on the data privacy compliance challenges U.S. companies face all over the world now, notes Fennessy.
She says U.S. companies and the federal government need to step up commitments to backstop protection for data when it hits U.S. shores. “What this shows is that it’s one thing to create a deal in a bilateral framework with the EU, but that the U.S. – which in the early days of the internet was a policy leader – has clearly relinquished its policy leadership to the EU.”
TrustArc CEO Chris Babel acknowledges the frustrations of privacy experts like him, who have waited years for a federal privacy law to be enacted.
“I’ve had a slightly jaded view for a while and predicted it will not happen, and so I was surprised how close we got in 2022,” he says.
“I came from the security space where, in 2002, California started mandating data breach notifications. Yet, 20 years later, we still don’t have insight on when we will have a federal privacy law. It’s hard for businesses.
“I don’t think the federal bodies are motivated to reach consensus. They’re too busy poking at the people on the other side of the aisle. I hope I’m wrong, but I don’t see a federal privacy law in sight in 2023.”
