If the first quarter has been any indication, 2023 will be yet another busy year in data protection and privacy. With so many global regulations to pay attention to, knowing where to focus your privacy resources is challenging. But despite the chaos, these are the key laws and topics you should have on your 2023 privacy compliance roadmap.
Anticipated Changes to Existing Privacy Regulations
Five U.S. State Privacy Laws Go Into Effect in 2023
In January, the Virginia Consumer Data Protection Act (finalized) and the California Privacy Rights Act (CPRA) (amending the California Consumer Protection Act (CCPA)) became effective.
Although the CPRA does make significant changes to the CCPA, rulemaking is still in progress. On February 14, 2023, CCPA regulations were submitted to the Office of Administrative Law for final review, which has 30 business days to review the rulemaking package. Enforcement of the CCPA is already underway, but CPRA enforcement is expected to start in July 2023.
However, that date could change, and you should monitor the California Privacy Protection Agency’s announcements. CCPA rulemaking will continue in phases and focus on different types of notices, Global Privacy Control (GPC) and universal opt-out mechanisms, how to exercise individual rights, and other topics such as the annual security audit and privacy impact assessment requirements.
Next, Connecticut CT-SB6 (CTDPA) and the Colorado Privacy Act will become effective on July 1, 2023. The CTDPA won’t require controllers to enable consumers to exercise their opt-out rights through a universal mechanism until January 1, 2025.
Final rules for the Colorado Privacy Act were filed with the Secretary of State on March 15, 2023. Regulations include consumer rights, universal opt-out mechanisms, controller obligations, data protection assessments, and important topics such as automated decision making and consent.
And lastly, to ring in the new year, The Utah Consumer Protection Act will go into effect on December 31, 2023. Because each U.S. state privacy law is different, all five should be on your privacy compliance roadmap.
EU-U.S. Cross-Border Data Transfers and The Executive Order
It’s been over a year since the EU and the U.S. struck an understanding on a revamped Privacy Shield data transfer agreement, now called the EU-U.S. Data Privacy Framework (DPF). In December 2022, the European Commission published its draft adequacy decision recognizing the essential equivalence of U.S. data protection standards.
“We will analyze the draft decision in detail the next days. As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights.”
A final decision should come in the next few months. And because data transfers have become vital to international trade, this decision will be critical for your 2023 privacy compliance roadmap.
More Data Protection and Privacy Regulations to Watch in 2023
Although a U.S. federal privacy law was proposed in 2022, that bill stalled before the close of federal government business in December. Both political parties have different motivations for the American Data Privacy Protection Act, and it may be brought before congress again.
Whether or not we will see a U.S. federal privacy law in 2023 remains uncertain. But don’t give up hope. At a recent hearing, the Innovation, Data, and Commerce Subcommittee Chair Gus Bilirakis (R-FL) declared, “Americans need and deserve more transparency over how their information is collected, processed, and transferred.”
In March 2023, the Iowa Senate and House unanimously voted to approve Senate File 262, potentially making Iowa the sixth U.S. state to enact an omnibus privacy law. Iowa’s law is similar to the frameworks in Colorado, Connecticut, Utah, and Virginia’s laws and is set to take force on January 1, 2025. Notably missing from Iowa’s Bill are sensitive data opt-in consent requirements, a user’s right to correct, required risk assessments, and practice purpose limitations.
Across the Atlantic, the U.K. government released the second draft reform of the UK GDPR, called the Data Protection and Digital Information (No.2) Bill. This bill doesn’t change the fundamental principles of the U.K. GDPR, data subject rights, or core obligations. IAPP writer Joe Jones summarizes the top 10 takeaways from the draft reform.
2023 Data Protection and Governance Hot Topics
Two new Acts passed in the EU raise the question of what the government’s role should be regarding major tech companies and online services.
The EU Digital Markets Act (DMA) will apply in the EU from May 2023 to ensure dominant tech companies behave fairly online. Including the monitoring of practices that might restrict the growth of new and alternate platforms.
In the DMA, large platforms like Google, Facebook, and Amazon are given the title Gatekeepers. Gatekeepers are prohibited from:
- Processing consumers’ personal data collected from third-party services to provide online advertising services without prior consent, and
- Reusing personal data collected during a service for the purposes of another service without prior consent, among other things.
The Digital Services Act (DSA) was also proposed by the European Commission to provide a safer, fairer, and more open digital playing field across the EU. It sets out new standards for online accountability and imposes rules around how platforms moderate content, advertise, and use algorithmic processes.
The DSA entered into force on November 16, 2022. It applies fully to all relevant entities 15 months after entering into force: from February 17, 2024. There are additional deadlines before this, however. For example, online platforms have been asked to report the number of end users they have by February 17, 2023. The European Commission will use this information to determine which ones should be designated very large online platforms/search engines.
Artificial Intelligence (AI) Regulations
As AI and machine learning take the world by storm, regulators are increasing legislation and enforcement. Meanwhile, privacy professionals are trying to understand the current AI privacy requirements and monitor future legislation.
The GDPR and the CPRA refer to automated decision making (ADM) technologies (and offer consumers the right to opt out of such data processing). Also, if AI is used to process personal data, the principles of the GDPR, such as accountability, fairness, data minimization and security, and transparency should be considered.
AI is increasingly a concern of regulators, and already several new laws and changes have been proposed for safeguards to ensure the responsible use of AI and regulatory compliance.
- The European Commission proposed the Artificial Intelligence Act (AI Act).
- California State Assembly introduced Bill AB-331 Automated Decision Tools.
- The FTC is investigating potential new rules for AI use.
- Other States, such as Alabama, Colorado, Mississippi, Vermont, and Washington are working on new AI rules.
Although no federal regulation exists regarding ethical AI use in the U.S., the White House released a Blueprint for an AI Bill of Rights in 2022. The blueprint is a set of five principles and practices to guide using automation while protecting the rights of the American public. Additionally, all U.S. Federal organizations are to follow the U.S. national strategy on AI defined through various legislation and executive orders.
The European Commission also released guidelines on automated individual decision-making and profiling for the purposes of regulation in 2018. And even more recently, the Information Commissioner’s Office (ICO) provided updated guidance for AI and Data Protection in March 2023.
AI and machine learning are poised to become hot-button issues over the next few years. This is an area you’ll want to keep bookmarked in your privacy compliance roadmap.
Dark Patterns
A Dark pattern is a broad term describing a variety of manipulative design choices to persuade users to make choices they otherwise wouldn’t have made. Dark patterns can include:
- Pre-selections on forms,
- Not giving people opt-out options,
- Hidden opt-out controls,
- Repetitive attempts to collect information, and
- Using algorithms to change purchase decisions.
At their core, dark patterns reflect the opposite of transparency and trust. Not only do we see more data protection regulations covering dark patterns, but consumers have also become more aware of them.
For example, in late 2022, the FTC reached a $100 million settlement with Vonage over allegations of dark pattern use that made it difficult for consumers to cancel services. As these headlines become more mainstream, consumers are more likely to notice and report dark pattern use.
Carefully examine your websites, applications, and privacy notices. Are they transparent? Do they provide users with an opportunity to make choices without being persuaded? If not, act quickly to remedy those issues before consumers or regulators discover them first.
4 Steps to Build Your 2023 Privacy Compliance Roadmap
Considering the new regulations, changing regulations, and possible regulations, here are four steps to boil that information down into your 2023 privacy compliance roadmap.
Know Where You Stand
Start by answering the following questions to get a general sense of where the organization’s current privacy program status and what important actions need to be taken this year.
- What laws/regulations must your organization comply with?
- What do your current privacy program and compliance status look like?
- What are the core details of your privacy program?
- What are your biggest gaps and risk areas?
Update the Data Inventory
An accurate, updated data inventory is critical for compliance with privacy regulations and data subject access requests. You need a detailed outline of:
- what data the organization has,
- where it lives,
- where it’s collected from,
- and where it is transferred, sold, or shared.
Because most functions in organizations collect or process data, keeping your data inventory updated can be a strenuous effort. Some privacy teams collaborate across business functions using spreadsheets. While others choose to automate the discovery of data and compliance reporting processes.
Open Communication Lines with Business Partners
Creating a comprehensive 2023 privacy compliance roadmap isn’t possible without connecting to people across the enterprise. The privacy team should be a resource that enables business innovation and value creation. Building relationships outside of the privacy office requires time and visibility.
Working with other business functions, privacy professionals can help enable the development of products and services within the parameters of data protection. Does your organization use privacy by design or by default processes and practices for creating new products and services? Have you implemented a privacy training program for all employees? Start from here and build relationships as you go.
Have Your Individual Rights Requests/Data Subject Requests Processes Tested and Ready
In addition to European consumers, several U.S. states have recently awarded data subject access rights to individuals. Although the rights and requirements vary, businesses must respond to requests to know, change, delete, or stop the sale/share of data within a specific timeframe.
In some cases, this includes contacting third parties and vendors down the supply chain to make the necessary changes as well. As you can imagine, this can be a complicated web, and noncompliance can be costly. The California Attorney General has already announced enforcement actions, and its first settlement with Sephora in relation to notice and opt-out requests signaled via the Global Privacy Control (GPC).
The data subject request lifecycle doesn’t have to be managed manually. In fact, it’s nearly impossible to do so. If you don’t want to leave your organization open to enforcement actions, leverage TrustArc’s Individual Rights Manager. Automate request fulfillment, improve response times, reduce costs, and comply with the most stringent global regulations.
You can also take transparency and trust further by providing customers a preference center to manage their consent choices with your business through Consent & Preference Manager.
Other Considerations for Your 2023 Privacy Compliance Roadmap
Depending on the size of the company and its location, your privacy program may be in different stages of maturity. In addition to compliance, other best practices also deserve a place in your privacy compliance roadmap.
Data Minimization
Only collecting the data that is absolutely necessary for business functions can drastically reduce risk and simplify your privacy program. Although it’s tempting to feel like more data is better, focus on collecting the highest quality data with consent from the data subject instead. Work across business departments to stop collecting data unnecessarily.
Renew Privacy Certifications
There are always recurring annual tasks that need to be completed to comply with regulations. For example, in California, you must include annual statistics revealing the number of requests received in your privacy notice.
Certifications are proof of compliance and protection practices and demonstrate the organization’s commitment to privacy while reducing the time to finalize vendor partnership agreements. Independent reviews help your organization stand out, reduce risk, and build trust.
Keeping those third-party certifications active can be critical to your organization’s bottom line. Identify if you need to add certification renewal to your privacy compliance roadmap this year and ensure it gets done!
Create an Employee Privacy Policy
Whether your employees are in California or covered under another data protection regulation, protecting your employee’s data is the right thing to do. Every organization needs an employee privacy notice and policy.
Employers often collect very personal information about employees, who deserve to know how their data will be used and protected. Protecting your employee data demonstrates that you care about the people working for you. And doing so when it’s not required may even make your employees more loyal to your organization.
Don’t Sweat the Small Stuff
The data protection industry is ever-changing. The amount of information and news can be overwhelming. You have to separate what’s most important from the noise. It’s impossible to focus on everything.
To avoid being buried by the small things, the bottom line is, what is the organization’s risk tolerance? Don’t try to over-due it, be flexible and ready for new regulations and unexpected developments. Work within the parameters of the organization’s risk tolerance and leave enough room in your privacy compliance roadmap for surprises.
