A wave of new U.S. state privacy regulations will kick in over the next 12 months, bringing challenges for businesses of all kinds. As the Privacy and Information Security Practice Chair at Kelley Drye, I help clients large and small with applying legal obligations to their data and marketing practices. Recently I partnered with Ketch and the IAPP (International Association of Privacy Professionals) to deliver a webinar exploring data privacy priorities and trends for 2023.
Data privacy laws: 5 things to watch in 2023
2023 is going to be a bumpy ride for privacy professionals. In the webinar, we outlined in practical terms what businesses should expect over the next year. Here are 5 key tips for privacy teams in 2023.
1. Mark your calendars
For the past few months, most privacy teams’ calendars have had a big red circle around January 1st 2023. It’s easy to see why: the CCPA/CPRA & VCDPA provisions become operative at the start of the year, and there has been plenty of chatter about the expiration of California’s 30-day grace period for curing privacy violations.
However, there’s one thing you should be clear on: privacy teams can’t afford to solely focus on the start of the year. The CCPA and related regulations that weren’t amended by the CPRA will remain in force until July 1st 2023, for instance, and the CPRA’s amendments to CCPA will only become enforceable from that date onward. As of mid-year, data privacy regulations in California, Colorado, Connecticut, and Virginia will become fully enforceable, and Utah’s will follow at the end of the year. July 1st is going to be a very, very big date.
Some companies will be rolling out key privacy features — such as opt-out mechanisms for targeted ads or the sale and sharing of data — by the start of 2023. For some of the more operationally challenging areas, though, businesses have discretion on whether to roll them out right away, or wait until they are closer to the July 1st deadline. Taking your time could bring additional challenges, though: brands will need to figure out whether to do one big update to their privacy policies, or roll out incremental changes as they update their offering over the course of the year.
2. Don’t sleep on your Notice at Collection strategy
One key “sleeper issue” is the need for new Notice at Collection processes. That might sound straightforward, but it’s actually a high-stakes issue: when notices are done right, then businesses can take an opt-out approach to collecting personal information, ensuring they can drive value and maximize overall data collection across their operations. Fail to dot the I’s and cross the T’s, though, and there’s a presumption that data collection will be opt-in, according to California’s draft regulations.
In Q1 or Q2, businesses will need to figure out how they present their updated Notice at Collections, with clear language or possibly visual charts accessible through prominent links in website footers or banners to confirm the consumer’s understanding of what’s being collected. This is the challenge — including all of the required disclosures while producing something that anyone - not just lawyers and engineers - can understand.
We’ll also see increased usage of contractual language that requires business partners to provide proper disclosures, and likely increasing convergence on best practices for specific sectors such as digital advertising. I truly hope we harmonize around an industry standard, and consensus on how we interpret how the laws apply to digital advertising, including particular practices like measurement and attribution. It’s definitely a fluid situation and one to monitor and update as we move forward.
3. Pay attention to opt-out signal compliance
State regulators are increasingly expecting companies to abide by preferences that consumers express via the Global Privacy Control system or other emerging permissions tools. The timelines vary a bit, though: California’s AG already requires compliance with such signals under the CCPA, while Colorado’s GPC requirement won’t take effect until July 2024.
Under the CPRA’s draft regulations, meanwhile, businesses would be required to honor preferences based on consumers’ browsers and devices, but also any customer profiles (including pseudonymous profiles) that are associated with those browsers and devices. Such preferences would also need to be considered as an opt-out signal for the purposes of selling or sharing consumer data.
With California’s regulations not yet fully nailed down, opt-out signal compliance will remain something of a moving target in 2023. Still, it’s important to read the tea leaves and prepare for increased regulatory focus on global permission systems. We’re going to see an evolution in the marketplace.
4. Get a handle on flow-down obligations
New regulatory trends will require businesses to pay close attention to how data is used across their entire ecosystem — including the third-party companies they share data with, or whose tools and services they rely upon. Requests such as sale/sharing opt-out signals and deletion requests, and limits on disclosure of sensitive personal information, will increasingly need to flow through the entire data ecosystem to ensure regulatory compliance.
Again, some details still need to be fleshed out by regulators. Exactly how flowdown will work when businesses have different pseudonymous profiles that ultimately refer to the same consumer or device remains an open question, for instance. It’s here that sophisticated consent orchestration systems — such as Ketch — have a key role to play.
5. Stay flexible to cope with coming changes
One thing is clear going into 2023: while changes are coming, we haven’t seen the full story yet. The initial tranche of draft CPRA regulations should be finalized in Q1, but a second phase of draft regulations is on the way. Try to keep your eyes on the prize in terms of what you have to have for the first tier.
More detail is also needed when it comes to areas such as cybersecurity audits and risk assessments — both areas that could impact digital advertising and related spaces. Existing Virginia and Colorado laws offer a sign of what to expect in this area, so it’s possible to start laying groundwork even without knowing exactly what regulators will demand. Don’t let the perfect be the enemy of the good.
Finally, it’s likely that with Democrats now holding supermajorities in several new states, additional privacy frameworks will be implemented over the next year or so. Don’t get too comfortable with existing regulations — there are going to be shifting sands. Being nimble and open-minded, so you can tweak your programs, is going to be really important.
Start preparing now for 2023 changes
The big takeaway: changes are coming, and it will serve organizations of all kinds to keep their ears to the ground, anticipate changes, and be proactive about building out flexible and effective privacy infrastructure.
Check out the full webinar for more details — including Interactive Advertising Bureau assistant general counsel Tony Ficarrotta’s insights on how to use new technologies to develop “privacy safe” digital advertising strategies. Or get in touch with Ketch, and learn how they’re helping organizations to manage data privacy at scale in today’s fast-changing regulatory landscape.