The Outlook for Privacy Laws in 2023: What to Expect and How to Prepare for Compliance

You may be surprised to learn that legislation governing data privacy in the US currently takes place at the State versus Federal level of government. This can be a challenge for New England area organizations, like yours, that most likely conducts business across state lines. Perhaps you’re watching potential legislation in states like Rhode Island which may require online entities to detail the information they are tracking on you. Or maybe you’re in Massachusetts where there’s proposed legislation to add the tracking of online marketing, especially to minors. Understanding US privacy laws in 2023 and how to comply with them is an important part of your business right now that can’t be overlooked or underestimated.

Today, more states are considering privacy laws tied to the individual. For example, Connecticut residents can request a business in New Hampshire to remove their personal information as defined by Connecticut state law. Businesses, in any state, without current knowledge of what is considered personal information under Connecticut law may be in violation of that state’s statute.  

Unfortunately, state variations of privacy requirements place the compliance burden on you since there is no Federal law regarding data privacy. Although the American Data Privacy and Protection Act (ADPPA) was sent to the House of Representatives for a vote, it has not been scheduled for the current legislative session. Without a Federal data privacy law, the protection of consumer data falls to the individual states. For you, this means that you’ll need to pay attention to the legislation in the states where you conduct business to ensure you’re in compliance. 

Currently, five states have comprehensive data privacy legislation set to become law in 2023, including California, Colorado, Connecticut, Virginia, and Utah.

California is considered the leader in enacting data privacy protection, with a specific focus on consent, with many states following the Golden State’s model. Connecticut and Utah closely follow California’s example. Colorado and Virginia adopted different criteria for determining protected data and identifying compliance-required businesses. With the number of changes coming, understanding the status of US Privacy Laws in 2023 should be part of your planning for the coming year. 

Unlike state legislation, the pending ADPPA draft legislation does not rely on consent for data protection. Businesses would only be allowed to collect essential information and must protect the data until it is permanently disposed of or deleted. Covered entities would charge for privacy protection. This pending legislation adds advertising protection for minors and requires data brokers to delete consumer data within 30 days of receiving a removal request.

A significant percentage of the ADPPA legislation would establish what is a covered entity, what data is protected, and what agencies oversee consumer data protection. Until federal government regulations are in place, businesses must assess their compliance obligations according to state laws. Let’s take a look at what you can expect in the next year.

US Privacy Laws in 2023

In addition to the five states with pending comprehensive legislation, several states are expanding existing laws. If your business falls into any of the following categories or practices, or if any of these types of businesses have access to the data you collect, read on to find out what you need to know as you head into the new year.

Data Brokers

California, Nevada, and Vermont have legislation regarding data brokers or entities that sell consumer data. California and Vermont require brokers to register and identify the information they collect and sell. Nevada requires data brokers to offer consumers the option to have their data removed.

Internet Service Providers (ISPs)

Maine, Minnesota, and Nevada have implemented legislation restricting how ISPs manage consumer data. Maine and Nevada prohibit ISPs from sharing, selling, or disclosing data unless the consumer explicitly agrees. Minnesota requires ISPs to receive consumer consent to disclose before sharing or selling online surfing history. 

Data Privacy for Minors

California is adopting stricter measures regarding advertising to children under the age of 18. Individualized marketing to a child based on collected data is prohibited as is marketing products that children cannot purchase, such as alcohol or tobacco. Minors have the right to be forgotten. They can request that their data be removed from any internet-based service, site, or application.

Delaware follows California in restricting online advertising to minors. However, the state added a clause to hold advertisers responsible if they have been notified of the requirement but continue a prohibited practice.

e-Reader Privacy

Arizona, California, and Missouri passed legislation prohibiting the release of information regarding the activities of a library patron. California and Delaware prohibit releasing information about subscriber’s activities when using a digital book service. Information may be released if a warrant is issued or there is imminent danger or death.

Privacy Policy Disclosure

California requires any website or online service to post a privacy policy that includes the personal information that is collected. The regulation applies to any site or service visited by a California resident. Connecticut, Delaware, Nevada, and Oregon require websites and services to post privacy policies and identify the personal information that may be collected.

Nebraska, Oregon, and Pennsylvania passed legislation stipulating that false statements regarding privacy policies violate unlawful trade statutes.

Data Sharing

California and Utah require non-financial online businesses to disclose to customers what information they share with or sell to a third party.

Electronic Monitoring of Employees

The following states require employers to notify employees if their emails, internet activities, and location are being tracked or monitored. These states include:

• Connecticut
• New York
• Delaware
• Colorado
• Tennessee
• Hawaii

Each state has slightly different language based on its existing legislation but all require notification. This is important to pay attention if members of your remote workforce reside in any of these states. 

Comprehensive Privacy Laws

The comprehensive privacy laws for California, Colorado, Connecticut, Virginia, and Utah will go into effect in 2023. To ensure compliance, organizations should review and update the following:

• Privacy Policies
• Process for addressing targeted marketing, advertising, and cookies
• Data Processing Agreements
• Data Security Standards
• Employee Training

It’s important to look at these privacy-related elements now to ensure you’re prepared for compliance, even if you and your business don’t reside in one of the five states enacting new legislation in 2023.

Privacy Policies

The five states have stipulated that organizations (including nonprofits) must post privacy policies that visitors to their website or online service can readily access. The policies must include the type of personal information that is being collected and identify if the information will be shared or sold to third parties. Posting incorrect or false information falls under unlawful trade statutes, and you could be prosecuted according to state law.

Privacy policies have extended to public libraries and digital book services in the five states. Libraries cannot release a patron’s history without a warrant. They cannot release information on the materials accessed, the sites visited, or online activities. The only exception is in case of imminent, life-threatening danger.

Nevada extended its e-reader legislation to digital book providers. These companies are prohibited from releasing subscriber information in the same way that public libraries are restricted. Disclosing such information requires a search warrant.

Targeted Marketing

Online service providers and media platforms must comply with privacy regulations that prohibit marketing or advertising to minors. Businesses are prohibited from advertising products or services that minors cannot purchase, such as alcohol. This legislation applies to websites that use cookies to track visited behavior. 

Internet providers, for example, must notify businesses that violate the restrictions, or they will be held responsible for the violation. Once organizations are notified, it becomes their responsibility to comply. 

Data Processing Agreements

States are requiring data brokers to inform consumers of the information they sell. States such as Vermont and Nevada require that data brokers register with the state and include consumer information in the registration. Nevada mandates that data brokers allow consumers to opt out of having their data sold or shared.

Data processing agreements should also be reviewed for security compliance. If businesses allow third parties access to protected consumer data, they should review those agreements to ensure they comply with updated privacy laws. 

Data Security Standards

Privacy laws may be a legislative focus in 2023, but that doesn’t mean that cybersecurity regulations are being ignored. Governments and industries issue data protection standards for businesses operating in their jurisdiction. These standards must be met and maintained to ensure that protected consumer data is secure.

The rapidly changing cybersecurity landscape requires organizations to amend existing processes to address current threats. Some industries require that personal data, such as PHI and PII, be collected and retained using methods that do not expose an individual’s identity, even if the data is compromised. 

Employee Training

Without Federal government regulations, companies are burdened with understanding and complying with multiple state privacy laws. Employees require training to understand how these laws impact their organizations. Employees should be informed as to which laws apply to state residents and which apply to businesses.

Employees also need updated training on cybersecurity threats and securing protected consumer data. Without up-to-date training, your team may move from being targets to becoming victims. 

International Privacy Laws

It’s important to remember that data moves across borders and jurisdictions that have varying degrees of privacy laws. The European Union’s General Data Protection Regulation (GDPR) has one of the most comprehensive privacy laws in the world. GDPR applies to any EU resident regardless of where the website is hosted or the business is located.

For example, GDPR includes a “right to be forgotten” clause. EU residents can request that their personal information be removed from any website or online service. If EU citizens visit your website in the US, you’re responsible for complying with GDPR removal requests. If the citizens ask that their data be removed, you must comply or face fines of up to 10 million euros or 2 percent of your worldwide annual revenue (whichever is higher). 

US-EU Data Privacy Framework

The Court of Justice of the European Union determined that the existing EU-US Privacy Shield framework was inadequate to protect data transferred between the two jurisdictions. The Court requested a more comprehensive framework to ensure the ongoing economic relationship between the two governments is secure.

President Biden issued an Executive Order in 2022 to strengthen the privacy constructs between the US and the EU. The order included:

• Added safeguards. US intelligence activities will be conducted only in compliance with defined national security directives and will consider the individual’s privacy regardless of nationality or country of residence.
• Monitored compliance. Legal, oversight, and compliance officials will extend their responsibilities to ensure compliance and remediate any violations.
• Updated policies and procedures. The US Intelligence Community must update documents to reflect the new safeguards that protect individual privacy and civil liberties.
• Redress mechanism. The Executive Order creates a process for parties from either jurisdiction to request independent review and redress of privacy violations. The results of the review will be binding.

The US government’s lack of privacy laws means there is no equivalent to the EU’s GDPR and no ability to enforce compliance at a Federal level. The Executive Order is the first step in establishing a framework for mutual implementation. 

Framework Implications

The Executive Order indicates a growing focus on data privacy across jurisdictions for US organizations. Although the Order is directed toward the Intelligence Community, once the framework is in place, it can be applied comprehensively to other areas of the public and private sector.

Businesses are faced with a growing array of privacy laws that require adherence to cybersecurity regulations for protected data. International laws such as the EU’s GDPR can carry significant penalties for violations. Co-operative agreements like the US-EU privacy framework will likely extend their reach.

More states are passing privacy laws tied to individuals and not to their location. For example, Colorado residents are protected under the state’s privacy laws regardless of where the resident or the business is located. Other states do not explicitly state that the laws apply to residents using the internet from outside the state.

The lack of consistency among the states adds to compliance complexity. Businesses may be required to register in one state but not in another. Registration may only require basic information such as addresses, phone numbers, and websites. Others may want you to stipulate the information being collected. Ensuring that processes and procedures follow cybersecurity best practices adds to your compliance burden.

Cybersecurity Implications

Staying informed on privacy laws and associated cybersecurity requirements for your business can quickly become a full-time role. It takes away the resources needed to grow your business. The alternative is costly fines and penalties which is not an option. If you’re concerned about the compliance needed for your business with newly enacted data privacy legislation, working with a Managed Service Provider (MSP) can help to ease your burden. Whether you’re looking for a fully managed IT model or co-managed IT support, contact us today to discuss how to create a plan for your business for 2023.