Welcome to 2023! The amount of privacy news coming out each day can be dizzying, here are the highlights to start the new year statewide, nationally, and internationally.

California
The California Privacy Rights Act (CPRA) took effect on January 1, 2023. Uncertainty remains around the final CPRA regulations, which are not yet final and may yet change prior to taking effect. The drafts indicate that the final CPRA will include a new category for sensitive personal information such as biometric data, gender and sexual orientation and racial or ethnic background as well as enhance children’s privacy by requiring affirmative opt-in consent prior to the sale of personal information of a child under 16. Also, the drafts indicate it will require implementation of contractual provisions between business and third parties they share information with and, like the VCDPA, it will require that existing vendor contracts be updated and that companies do due diligence on their vendors.

Virginia
In addition to the CPRA, the Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023. Unlike California’s laws, the VCDPA does not provide for the promulgation of additional rules, so the only changes to expect from Virginia this year will be amendments. Virginia’s law does not impose the same contractual requirements between businesses and third-party processors that the CPRA does, but it does require consent for the processing of sensitive data. Thankfully, the laws converge in some areas, notably around the rights of data subjects and the requirement to post a privacy policy and due privacy impact assessments prior to data collection. Beyond Virginia, states including Indiana, Maryland, Mississippi and Oregon are introducing or passing new privacy legislation this year.

United States
Over the summer and into the fall of 2022 Congress appeared to be making real progress towards a bipartisan privacy bill. The draft American Data Protection and Privacy Act (ADPPA) would be the first comprehensive privacy law in the U.S., focusing on many of the principles contained in the CPRA and VCDPA and other state privacy laws, namely:
- data minimization (the principle that a company should only collect the personal data it needs to provide its services, and nothing more)
- purpose limitation (that the data a company collects only be used for the purpose it is collected, and nothing more)
- security (that the data a company collects be processed and stored in a secure way)
Unfortunately, efforts to pass the ADPPA petered out into late 2022, and, while it remains to be seen whether the newly assembled Congress will pick it up again in 2023, we predict that we will see movement towards a federal privacy bill this year. President Biden signaled his support for the principles in the ADPPA in a recent op-ed published in the Wall Street Journal.
Meanwhile, the Federal Trade Commission (FTC) is hedging its bets on Congress by issuing its own notice of proposed rulemaking. The FTC has historically refrained from passing its own rules in this space, relying instead on its authority under Section 5 of the Federal Trade Commission Act to prevent unfair and deceptive trade practices. In August of last year, the FTC signaled its change in course, taking the privacy community by surprise with a request for public comment on proposed rules in the areas of personalized advertising, data security, and algorithmic discrimination. At some point this year, we can expect the FTC to release first drafts of the proposed rules.

International Enforcement
In Europe regulators entered 2023 on an enforcement tear, while also clearing a path for a clear transatlantic data transfer mechanism. Regulators have been actively pursuing actions against major U.S. tech companies on the privacy front, sending a clear message that compliance will (continue to) be on Europe’s radars into 2023. In France, the commission nationale de l’informatique et des libertes (CNIL) fined Google €8M for nonconsensual ad tracking, piggybacking on an earlier fine of €30M handed down to Microsoft for similar reasons. More recently (and more surprisingly), Meta was fined €390M by the Irish data protection commission, who found that the company’s basis for collection of user data for purposes of tracking and serving ads was invalid. Until that point, Meta had been relying on the “contractual necessity” basis for the collection and processing of personal data. Irish authorities gave Meta three months to implement an alternative rational basis, and to update its systems and processes accordingly. This fine leaves ripples across the transatlantic privacy community, as other companies scramble to reconsider their rational basis for the collection and processing of personal data.
The transatlantic community also has its eyes on the EU-U.S. Data Privacy Framework (DPF), which would replace the Privacy Shield that was invalidated in 2020 under the “Schrems II” decision by the EU’s Court of Justice. The White House implemented the DPF by executive order in late 2022, concurrently with the European Commission’s announcement that it will launch its adequacy determination under the DPF arrangement. If approved, this would clear a path for authorized transfers of data from the EU to the U.S., which is currently not deemed by EU authorities to have “an adequate level of protection” in place for personal data. Currently companies transferring data from the EU into the U.S. rely on alternative mechanisms such as standard contractual clauses, binding corporate rules or so-called “derogations,” each of which comes with its own set of issues and uncertainties.

What does this mean for my business?
Stay up to date with the ongoing legislative changes and update your data protection practices accordingly to stay compliant. With so many changes, we know this can be difficult. The Carney Privacy Group will be watching these developments in U.S. and international privacy laws. Please reach out to us if you need help navigating this new landscape of privacy laws or have questions about how to update your commercial contracts or privacy program. We are here to help.
