Data privacy laws: What you need to know in 2023

Virtually every country has enacted some sort of data privacy law to regulate how information is collected, how data subjects are informed, and what control a data subject has over their information once it is transferred. Failure to follow applicable data privacy laws may lead to fines, lawsuits, and even prohibiting a site's use in certain jurisdictions. Navigating these laws and regulations can be daunting, but all website operators should be familiar with data privacy laws that affect their users. 

Here are the laws and regulations you should be aware of for 2023. We'll update this list as new laws pass.

U.S. data privacy laws

Despite numerous proposals over the years, no one comprehensive federal law governs data privacy in the U.S. yet. The American Data Privacy Protection Act (ADPPA) has made it further along the legislative process than any of its predecessors, but it still faces significant hurdles. As of this writing, it’s still uncertain whether the act will overcome or succumb to those hurdles.

In the meantime, however, individual states have acted rather than wait on the federal government. There's a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing.

The FTC

An important enforcement agency in the U.S. is the Federal Trade Commission (FTC). Its authority to regulate on behalf of consumer protections comes from The Federal Trade Commission Act (FTC Act), which has broad jurisdiction over commercial entities under its authority to prevent unfair or "deceptive trade practices." 

While the FTC uses its authority to issue regulations, enforce privacy laws, and take enforcement actions to protect consumers. For example, the FTC might take impose action against organizations that:

• Fail to implement and maintain reasonable data security measures
• Fail to abide by any applicable self-regulatory principles of the organization's industry
• Fail to follow a published privacy policy
• Transfer personal information in a manner not disclosed in the privacy policy
• Make inaccurate privacy and security representations (i.e., lying) to consumers and in privacy policies
• Fail to provide sufficient security for personal data
• Violate consumer data privacy rights by collecting, processing, or sharing consumer information
• Engage in misleading advertising practices

Other federal laws that govern the collection of information online include:

• The Children's Online Privacy Protection Act (COPPA), which governs the collection of information about minors
• The Health Insurance Portability and Accounting Act (HIPAA), which governs the collection of health information
• The Gramm Leach Bliley Act (GLBA), which governs personal information collected by banks and financial institutions
• The Fair Credit Reporting Act (FCRA), which regulates the collection and use of credit information
• The Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records

State data privacy laws

The U.S. has hundreds of sectoral data privacy and data security laws among its states. State attorneys general oversee data privacy laws governing the collection, storage, safeguarding, disposal, and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, others to private entities, and others apply to both. 

In addition to sectoral privacy laws, the U.S. is experiencing a massive drive toward pushing privacy legislation at the state level. That’s because the federal government hasn’t been able to find a consensus on how to legislate broadly. Rather than wait, state lawmakers have been nudged by consumers, consumer advocates, and even companies to set their own rules. 

Of course, companies would rather comply with a single federal standard than hire attorneys and privacy professionals, invest in compliance tools, and establish a robust compliance program that covers all applicable state laws. But states see the lack of any data privacy protections as more damaging than overly complex data privacy protections.

California started the domino effect. While it’s true that only five states thus far (California, Colorado, Connecticut, Utah, and Virginia) have been able to pass a comprehensive law to date, many states are trying. Even if their early bills have failed in previous legislative sessions, they serve as a reference point for Republicans and Democrats to begin their amendment work before any deal can reach its final destination: the governor’s desk.

Here’s a breakdown of where things stand.

California Privacy Rights Act (CPRA)

The most comprehensive state data privacy legislation to date is the California Privacy Rights Act (CPRA). The CPRA was passed by a ballot initiative in November 2020 and amended California’s previous state privacy law, the California Privacy Protection Act (CPPA). It went into effect on January 1, 2023.

The CPRA is cross-sector legislation that introduces important definitions and broad individual consumer rights and imposes substantial duties on entities or persons that collect personal information about or from a California resident. These duties include informing data subjects when and how data is collected; allowing them to opt-out of data collection; allowing them to access, correct, and delete such information; and restricting how businesses can transfer personal information to other entities.

Many of the above requirements were also included in the CCPA, but once the CPRA passed, the law was amended to include the following:

• Right to rectification: This updates and adds to a consumer’s right to correct inaccurate personal information.
• Right to restriction: This grants consumers the right to limit the use and disclosure of their sensitive personal information.
• Sensitive personal information: This updates the definition of personal information. Certain types of information, like a consumer’s Social Security number, must be treated with special protections. 

The CPRA also:

• Increased fines for breaches of children’s data threefold
• Expanded breach liability beyond breaches of unencrypted data to disclosures of credentials (like an email address or password) that could lead to access to a consumer’s account
• Limited the duration of time a company may retain a consumer’s information to only what’s necessary and “proportionate” to the reason it was collected in the first place
• Requires companies working with third parties, contractors, and outside service providers to contractually mandate that those organizations exercise the same level of privacy protection to data shared with them as the first party

One of the most significant features of the CPRA is its enforcement. While state attorneys general typically handle privacy cases—unless the FTC is involved, and even then, it’s often a partnership—the CPRA establishes a new privacy regulator.

The California Privacy Protection Agency (CPPA) can fine transgressors, hold hearings about privacy violations, and clarify privacy guidelines. It’s a five-member board, and it starts enforcing six months after the CPRA goes into effect on July 1, 2023.

Virginia's Consumer Data Protection Act (CDPA) 

Virginia's Consumer Data Protection Act (CDPA) was passed on March 2, 2021. It grants Virginia consumers certain rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected, and with whom it's shared.

The law contains some similarities to the EU General Data Protection Regulation's (GDPR) provisions and the CPRA. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents and also meet one of the following:

• Control or process the personal data of 100,000 or more
• Control or process the personal data of at least 25,000 consumers and earn 50% of their revenue by selling personal information 
  

The CDPA requires companies covered by the law to assist consumers in exercising their data rights by obtaining opt-in consent before processing their sensitive data (non-sensitive data may be collected so long as the consumer is notified), disclosing when their data will be sold, and allowing them to opt-out of data collection. It also requires companies to provide users with a clear privacy notice that enables consumers to opt-out of targeted advertising. In addition, it requires data brokers to honor consumers’ requests to opt out of data processing, among other requirements.

The CDPA went into effect on January 1, 2023.

Colorado Privacy Act (CPA)

In June 2020, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California's CPRA, Virginia's CDPA, and the EU’s GDPR.

While there are similarities, such as some form of a right to opt-out, special protections for sensitive data, and the adoption of some privacy-by-design principles, the significant differences are in the details.
The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive revenue from the sale of that data. 

The law lists five rights granted to Colorado residents once the law becomes effective on July 1, 2023. They are:

• The right to opt-out of targeted ads, the sale of their personal data, or being profiled
• The right to access the data a company has collected about them
• The right to correct data that's been collected about them
• The right to request the data collected about them is deleted
• The right to data portability (that is, the right to take your data and move it to another company)
   

There are 17 blanket exemptions within the law. Data exemptions include:

• If the data was collected for Colorado health insurance law purposes
• If the entity collecting the data or the data collected is already covered by certain sectoral laws, including COPPA or the Family Educational Rights and Privacy Act (FERPA)
• If the data has been de-identified or pseudonymized
• If the data is being maintained and used by a consumer reporting agency
• If the data is being used for employment records purposes
  

Since the law goes into effect midway through 2023, businesses should expect updates to the law via rulemaking in the first half of the year.

Utah Consumer Privacy Act

In March 2022, Utah became the fourth state to enact a comprehensive consumer privacy law, which will take effect on December 31, 2023. The Utah Consumer Privacy Act (UCPA) draws from the CDPA, CPA, and CPRA.

The law applies to both data controllers and processors that generate over $25 million in annual revenue and either:

• Control or process personal data for over 100,000 consumers yearly, or
• Derive over 50% of the entity’s gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more consumers.

Similarly to the statutes in Colorado and Virginia, there are exemptions for certain types of personal data; however, they’re broader at both the entity and data levels.

The law does not apply to governmental entities or third parties acting on behalf of a governmental entity, tribes, institutions of higher education, nonprofit corporations, business associates, information that meets the definition of protected health information for HIPAA and related regulations, and more.

Financial institutions governed by the GLBA (the Gramm-Leach-Bliley Act) and information in the FCRA (Fair Credit Reporting Act) also aren’t subject to the UCPA. Data processed or maintained in the course of employment is also exempt.

Consumers have the right to:

• Confirm whether a controller is processing their personal data and accessing or deleting personal data provided
• Obtain a copy of their personal data in a portable, accessible format
• Opt-out of processing of personal data for targeted advertising or sale
  

In contrast to the CDPA and CPA, the UCPA does not include the right to opt-out of profiling nor codify the right to correct inaccuracies in their data.

Connecticut’s Data Privacy Law

Connecticut's fifth and most recent state to adopt a comprehensive consumer privacy law. Senate Bill 6, or “An Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA), goes into effect July 1, 2023.

The law also draws from Virginia and Colorado’s statutes, with a few departures. It applies to businesses that, during the preceding calendar year:

• Controlled or processed personal data of 100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely to complete a payment transaction; or
• Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The law is the first to specify that payment transaction data is not subject to the law, which is for small businesses that process information to complete a transaction, such as restaurants. Consumers can opt out of data processing for the purposes of targeted advertisements, sale to a third party, and profiling.

The state allows a 60-day period to remedy violations through December 31, 2024.

New York SHIELD Act

In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York's existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable.

This law broadened the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information. It requires employers in possession of the New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”

Last year, in 2022, the state Attorney General settled with an organization $600,000 for failing to meet minimum standards that led to a breach in security and a leak of personal information. While there have been no recent updates to the law, it is still very active and enforced, as shown by this settlement.

Other state-level data privacy laws

California, Utah, Virginia, Connecticut, and Colorado are the first states to enact broad legislation that has had a national impact, but many other U.S. states are also considering data privacy laws.

Currently, there is active legislation in Michigan, Ohio, Pennsylvania, and New Jersey. There are over 20 states with inactive legislation that may be picked up again in the future or folded into new legislation.

Europe

The EU General Data Protection Regulation remains the law of the land, but new data privacy-related laws have been passed in the EU recently—notably, the Digital Services Act and Digital Markets Act. There are several proposals to be aware of in 2023 as well. Here's a refresher on the GDPR and a list of the other proposals you should track to keep your organization up-to-date on data privacy in 2023.

The General Data Protection Regulation (GDPR)

The most crucial data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union. The law applies to all EU residents, regardless of the entity's location that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR. Some essential requirements of the GDPR include:

Consent

Data subjects must be allowed to give explicit, unambiguous consent before the collection of personal data. Personal data includes information collected through the use of cookies. Some information not usually considered "personal information" in the United States, such as the user's computer IP address, is considered to be "personal data" according to the GDPR.

Data Breach Notification

Organizations must notify supervisory authorities and data subjects within 72 hours if a data breach affects users' personal information in most cases.

Data Subjects' Rights

Data subjects (people whose data is collected and processed) have certain rights regarding their personal information. These rights should be communicated to data subjects in a clear, easy-to-access privacy policy on the organization's website.

1. The right to be informed. Data subjects must be informed about the collection and use of their personal data when the data is obtained.
2. The right to access their data. A data subject can request a copy of their personal data via a data subject request. Data controllers must explain the means of collection, what's being processed, and with whom it is shared.
3. The right of rectification. If a data subject's data is inaccurate or incomplete, they have the right to ask you to rectify it.
4. The right of erasure. Data subjects have the right to request the erasure of personal data related to them on certain grounds within 30 days.
5. The right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data (though you can still store it).
6. The right to data portability. Data subjects can have their data transferred from one electronic system to another at any time safely and securely without disrupting its usability.
7. The right to object. Data subjects can object to how their information is used for marketing, sales, or non-service-related purposes. The right to object does not apply where legal or official authority is carried out, a task is carried out for public interest, or when the organization needs to process data to provide you with a service for which you signed up.
   

Digital Services Act (DSA) 

The new regulation addresses illegal and harmful content by compelling platforms such as Google and Facebook to remove content that doesn’t meet certain standards. The primary principle is “what is illegal offline must be illegal online,” according to the Council of the EU. The Digital Services Act (DSA) entered into force on November 16, 2022. Different provisions of the law will become effective at different times, with the law coming fully into force on February 17, 2024.

It applies to four categories of businesses:

• Intermediary services offering network infrastructure, such as ISPs
• Hosting services, such as cloud and web-hosting services
• Online platforms that bring sellers and consumers together, such as online marketplaces, social platforms, and app stores
• Very large online platforms, which are defined as online platforms that reach more than 10% of the 450 million consumers in Europe

Each category faces different requirements.

All of the above categories must:

• Engage in transparency reporting on court orders and actions taken, content moderation efforts, and more
• Update terms of service to account for fundamental rights
• Cooperate with national authorities
• Establish points of contact for authorities and, when necessary, legal representatives

Hosting services, online platforms, and very large online platforms must:

• Provide a notice-and-action mechanism enabling users to note potential illegal content for the business to remove
• Report criminal offenses

Online platforms and very large platforms must:

• Implement a complaint and redress mechanism
• Identify trusted flaggers whose expertise adds special weight to their content notices
• Take measures against abusive notices and counter-notices
• If they have a marketplace feature, take special actions, such as vetting third-party suppliers’ credentials, adhering to compliance-by-design principles, and more
• Not target advertisements to children or target advertisements based on users’ special characteristics
• Provide transparency into content recommendation systems
• Provide user-facing transparency into online advertising practices 
  

Very large platforms must: 

• Adopt risk management practices and establish crisis response protocols
• Acquiesce to external, independent auditing, establish an internal compliance function, and be publicly accountable
• Provide users the choice to not be subject to content recommendations based on profiling
• Share data with authorities and researchers
• Adhere to self-drafted codes of conduct
• Cooperate with authorities during crisis response situations

EU data protection authorities may access, obtain information from, and inspect service providers to inform orders and sanctions. If a business is found to be in violation, it may be fined up to 6% of annual global turnover during the preceding financial year. If an information obligation under the DSA is violated, the maximum penalty is limited to 1% of the previous year’s income or global turnover.

The Digital Markets Act 

The Digital Markets Act (DMA) covers the largest digital platforms, known as “gatekeepers,” which include companies like Facebook, Apple, Microsoft, and Google. The DMA aims to level the playing field for digital companies and prevent gatekeeper companies from imposing unfair conditions on their competitors. For example, a company like Amazon isn’t allowed to rank products on its site in a way that gives Amazon’s own products and services an advantage. 

A company is considered a gatekeeper if it:

• Has a strong economic position, significant impact on the EU market, and is active in multiple EU member states
• Has a strong position as an intermediary linking a large user base to a large number of businesses
• Has or will soon have an entrenched position in the market, which is determined by whether or not the company met the two previous criteria in the last three financial years

Under the DMA, businesses that qualify as gatekeepers must:

• Not engage in self-preferencing, where the gatekeeper promotes their own products and services over an equivalent third-party product or service on the gatekeeper’s platform
• Not reuse users’ data outside of the context in which it was originally collected without consent
• Not track users outside of the gatekeepers’ platform for the purpose of targeted advertising without consent
• Permit communication and content access between businesses and end users
• Ensure price and fee transparency in advertising intermediation services
• Provide access to marketing or advertising performance data on the platform to users
• Make it easy for users to change their default settings and uninstall software
• Ensure third-party technology can interoperate with the gatekeeper’s own
• Ensure end users’ data is portable to other systems
• Provide businesses with real-time access to their data on the gatekeeper’s platform
• Not prevent users from making complaints to authorities
• Not require user registration to additional services as a condition of accessing a given service
• Not use businesses’ non-public data to compete against them
• And more

Gatekeepers that violate the DMA may be subject to fines of up to 10% of annual global turnover or up to 20% in the case of repeated violations. What’s more, repeated violations may result in non-financial remedies, such as forced divestitures.

EU proposals to watch in 2023

The EU-U.S. Data Privacy Framework

Although it isn't a law per se, the EU-U.S. Data Privacy Framework is an important factor to be aware of. 

Previously, businesses transferring EU citizens’ data into the U.S. relied on a framework called the Privacy Shield to ensure the data was sufficiently protected, but that framework was deemed invalid during the Schrems II court case. Since then, businesses have relied on standard contractual clauses approved by the European Commission to provide legal protection for data transfers. 

However, these clauses are somewhat shaky; U.S. businesses aren’t supposed to rely on them if they are subject to the Foreign Intelligence Surveillance Act’s (FISA’s) Section 702, which allows U.S. intelligence services to conduct searches of foreign communications, which includes EU citizens’ data. The intricacies of Section 702 are outside of the scope of this blog, but the critical thing to know is that it isn’t always clear when a business is subject to Section 702 or not. Thus, the SCCs are risky to use, but there isn’t an alternative legal framework for international data transfers between the EU and U.S.

Until recently, that is.

On October 7, 2022, President Biden issued an Executive Order on Enhancing Safeguards for United States Signals Surveillance Activities. The order outlined the new EU-U.S. Data Privacy Framework, including additional security measures, a redress mechanism for EU and U.S. citizens who feel their rights have been violated, and greater protections for foreign citizens’ data that has been transferred to the U.S. Additionally, the framework requires intelligence agencies to make updates to surveillance-related policies and procedures, followed by a review by the Privacy and Civil Liberties Oversight Board.

Currently, the proposed framework is under review by the European Commission with input from the European Data Protection Board. There will likely be criticisms from European privacy advocacy groups, but if the framework survives, it could be the method businesses use to transfer data between the EU and U.S.

E-Privacy Regulation 

The e-Privacy Regulation (ePR) has been a long time coming. It aimed to come into force alongside the EU’s General Data Protection Regulation in 2018 but has stalled for years. In March 2022, the EU Council agreed on a draft, but regulation isn’t expected until at least 2023. Furthermore, if the ePR does enter into force during 2023, there will be a 24-month transition period. So, at the very earliest, businesses will have to become compliant by 2025.

The ePR, if passed, would create privacy rules for traditional electronic communications services and entities that weren’t covered by the former law, the ePR, such as WhatsApp, Facebook Messenger, and Skype. 

It would create stronger rules on electronic communication’s privacy, and it would apply to communications content and “metadata,” that is, data that describes other data. Under ePR, service providers and electronic communications networks must get prior consent from the user before processing their electronic communications metadata. 

It would also, importantly, create more straightforward rules on cookies. It would allow users to consent or deny tracking cookies at the browser level, and it would also clarify that websites do not need to get consent for what is called “non-privacy intrusive cookies.” Those cookies allow website features like “shopping carts” to track what a user has ordered. It would also require that organizations enable end-users to withdraw their previously granted consent at least once per year. 

AI Act

The EU’s Artificial Intelligence Act would apply to any company doing business in the EU that develops or adopts “high-risk” AI systems. These systems affect employment, credit, health care, and other critical domains.

The Act was introduced in 2021 and is currently up for consideration in the European Parliament. As of this writing, the Act is up for a vote sometime in the first quarter of 2023. However, given the complexity of AI, this vote may be delayed to incorporate further amendments.

The AI Act would apply extraterritorially, meaning the law will cover companies based elsewhere if they have customers or users inside the EU, effectively making it a global regulation. 

Under the Act, businesses with applicable AI systems would have to:

• Conduct impact assessments, keep records, and meet transparency obligations
• Not develop systems that can be used to manipulate a person’s behavior in a manner that could cause mental or physical harm.
• Not develop systems that can be used to exploit the vulnerabilities of a specific group due to their age, physical or mental disabilities, or behavior in a manner that could cause psychological or physical harm.
• Not develop systems that could exploit vulnerable groups based on age, or physical or mental disability.
• Not develop systems that provide real-time remote biometric data in publicly accessible spaces by law enforcement. 

Other international data privacy laws

With over 130 data privacy laws across the globe, it isn’t feasible to list and describe each and every one in this blog post. However, here are some important regulations that may apply to your business.

• Brazil’s General Law for the Protection of Personal Data, or the Lei Geral de Proteção de Dados Pessoais (LGPD): This law came into effect in 2020 and contains many similar provisions to the GDPR. Learn more about the law in our dedicated blog article, The definitive guide to Brazil's privacy law, the LGPD.
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): PIPEDA was assented to in 2000, came into full force in 2009, and was considered a progressive law at the time. It was last updated in 2015 by the Data Privacy Act but still falls short of the GDPR’s regulatory standard.
• China’s Personal Information Protection Law (PIPL): PIPL was enacted into law in November of 2021 and broadly maps to the GDPR’s stipulations. However, it does vary in some of its details, notably by giving individuals fewer rights, requiring a stricter standard for consent, and imposing harsher penalties.

Reduce complexity and risk with a compliance platform 

This post covered some of the major laws that have had recent updates. That excludes many smaller laws that simply haven’t been updated recently and details of the above regulations that would be too deep in the weeds for a blog post. And still, this post is well over 5,000 words long!

For businesses that know they only need to comply with one law and have no intentions of expanding to other jurisdictions, it might be possible to handle compliance in-house. It will take time, resources, and effort, but it’s feasible. Once your business becomes subject to multiple laws, a wholly homegrown approach to compliance quickly becomes overwhelmed by the complexity of different laws’ requirements. With complexity comes risk and a weakened revenue stream, whether through fines and penalties, diverted resources that could be spent on revenue generation, or the loss of consumer trust.

Whether subject to one law or multiple, businesses interested in protecting their revenue from risk invest in compliance platforms. The solutions in this category formalize the knowledge of privacy professionals through their capabilities and features, enabling privacy novices and empowering privacy professionals alike.

The Osano platform, for example, provides a means for businesses to ask for, record, and act on consumer consent, whether that’s the specific kind of consent required under the CPRA, under the GDPR, or under any other privacy law. It also streamlines the process of accepting, managing, and acting on DSARs. Osano’s proprietary database of vendor privacy scores also ensures you can build a vendor ecosystem that reduces risk and stay alert to emerging issues in your vendors’ privacy postures, such as recent lawsuits or privacy policy changes. The result is greater situational awareness of the state of data privacy in your business, your vendors’ business, and the market as a whole.

Schedule a demo of Osano today.