Privacy and Data Protection Compliance Will Remain a Top Priority in 2023

January 17, 2023

2023-BoardMemoArticleBanners_1200x140-Privacy

As the value of data continues to increase exponentially, so too do the associated risks, including risk of cyberattacks, data breaches or data-related litigation, as well as rising regulation throughout the world designed to restrict the exploitation of these assets. 

This tension between an organization’s desire to maximize the benefits derived from data collection versus mounting exploitation risks will only continue to grow in 2023.  For example, according to the International Association of Privacy Professionals, in the absence of a federal standard in the U.S., state-level momentum for comprehensive privacy bills was at an all-time high in 2022, with 29 states and the District of Columbia either introducing data privacy bills or carrying them over from last year’s sessions, and two states successfully passing comprehensive privacy legislation as discussed below.  Similarly, in Europe, new proposals for regulations designed to address data usage have started to proliferate as policymakers moved from deliberation to action.

We expect that these trends will hold, leading to increasingly nuanced and disparate requirements with which companies will need to comply, especially those active in interstate and global commerce.  In 2023, U.S.-based businesses will confront hurdles in designing a privacy compliance program that complies with five new state laws regulating the collection, processing and disclosure of personally identifiable information (PII).  Further, recent regulatory trends have shifted privacy and data protection compliance away from mandating technical compliance measures to require greater board accountability with mounting attempts to regulate corporate behavior through governance.  Thus, it is critical that management be aware of and understand the organization’s data processing activities and the risks that follow when maximizing the value of such data to satisfy commercial needs and initiatives.

U.S. State Legislation and Enforcement

California Rulemaking Activities and Attorney General Enforcement

After two years of waiting, on January 1, 2023 the California Privacy Rights Act (the CPRA),[1] which amends the California Consumer Privacy Act (CCPA), finally took effect, significantly broadening compliance obligations for covered entities and strengthening protections for consumers to control usage of their PII.  Simultaneously, (i) the thirty-day cure period provided under the CCPA will sunset, permitting the California Attorney General (CA AG) to immediately file civil complaints for alleged violations, without any prior notice to an impacted entity and (ii) employee and commercial contact or “B2B” PII will no longer be exempt from the CCPA/CPRA’s requirements, meaning that employee or B2B PII collected or processed after January 1, 2022 will require similar treatment as consumer PII.

In July, the California Privacy Protection Agency (the CPPA), the state agency tasked with interpreting and enforcing the CPRA alongside the CA AG, commenced a formal rulemaking process to introduce a number of proposed and CPRA-mandated revisions to the current CCPA regulations (the Draft Regulations).[2]  At a high level, the Draft Regulations (i) expand upon notification requirements, including where privacy notices must be provided and what content such notices must disclose, (ii) detail how to effectively request and receive valid consumer consent, (iii) offer guidance with respect to opt-out, alternative opt-out and other data processing limitation links as well as other consumer rights request mechanisms, methods and processes and timelines for compliance therewith and (iv) summarize vendor management and oversight obligations, including with respect the required provisions in agreements with “service providers,” “contractors” and “third parties.”  It is expected that the regulations will take effect sometime in April; until then, the CCPA regulations continue to be in effect.

With respect to enforcement priorities, in 2022, the CA AG continued his enforcement sweep with over a dozen entities receiving notices of CCPA non-compliance, many of which concerned failures by regulated entities to (i) post CCPA-compliant privacy policies and fully comply with statements made therein, (ii) provide a “Do Not Sell My Personal Information” link where “selling” consumer PII, (iii) honor consumer opt-out requests, particularly those sent via universal opt-out mechanisms/user-enabled global privacy controls, or other consumer privacy rights requests such as the rights to know, access and delete and (iv) notify and receive opt-in consent from consumers with respect to consumer loyalty programs or other financial incentives.  We expect this trend to continue and increase in 2023.

New Comprehensive Privacy Laws in Utah and Connecticut

In 2022, Utah and Connecticut became the fourth and fifth state, respectively, after California, Virginia and Colorado, to impose comprehensive privacy and data protection obligations on covered business and provide these states’ residents with control over the collection and processing of their PII.  Utah’s Consumer Privacy Act (the UCPA; previously discussed here)[3], effective December 31, 2023, aligns most closely with Virginia’s law and is arguably the least commercially restrictive law to date, whereas Connecticut’s Data Privacy Act (the CDPA; previously discussed here)[4], effective July 1, 2023, aligns more closely with California and Colorado’s laws and is slightly more protective of consumer rights.

Fortunately, the UCPA and CDPA largely track the obligations and restrictions set forth under similar omnibus privacy laws passed last year—namely the Virginia Consumer Data Protection Act, effective January 1, 2023, and the Colorado Privacy Act, effective July 1, 2023, (discussed here and here, respectively)—meaning organizations already covered by such laws may be able to easily adapt or modify certain existing compliance measures to satisfy many of the new laws’ requirements.

Other U.S. Privacy Developments

  • Congress Makes Progress on Federal Privacy Legislation.  Last summer, legislators made progress on a bipartisan, bicameral proposal for comprehensive federal data protection legislation with the introduction of the American Data Privacy and Protection Act (the ADPPA).[5]  Despite revisions to the initial legislation, the two most contentious aspects of the ADPPA— namely, its broad preemption of state data privacy laws and the inclusion of a private right of action—remain, which continue to impede progress as lawmakers on each side of the aisle negotiate to strike a palatable balance.  We expect momentum to pass the ADPPA to resurface during this year’s legislative session, particularly as concerns surrounding the lack of a federal standard and growing patchwork of state legislation continue to amplify; but that it will also receive pushback as states that already have their own law continue to argue that their state level protection should prevail.
  • Continued Focus on Regulation on Children’s Data.  As predicted, the processing of children’s data continued to be a major focus in 2022 with proposals and ultimate enactment of legislation aimed at protecting children from misuse and exploitation of their PII and recent enforcement actions signaling that regulators intend to commit to their objective of defending children’s privacy rights.[6]

In California, lawmakers continued to advance legislation to increase protections surrounding children’s PII with enactment of the California Age Appropriate Design Code (Code).  The Code, which becomes effective July 1, 2024, applies to businesses covered by the CPRA that develop and provide online services, products or features that are “likely to be accessed by children.”[7]  Specifically, the Code imposes new obligations on covered entities, including requirements to conduct data protection impact assessments for online products, services or features likely to be accessed by children, including those offered to the public prior to the Code’s effective date, and new and enhanced notice requirements, including obligations to provide “obvious signals” where a child’s online activities or location are being tracked or monitored.  With increased focus on the protection of children’s PII both stateside and around the world,[8] additional states have introduced similar proposals based on the Code,[9] and we expect this trend will continue with additional states likely to introduce similar proposals to protect children who engage in online activities.

  • NY Department of Financial Services Proposes Amendments to its Cybersecurity Regulation.  For the first time since its enactment in 2017, the New York Department of Financial Services (NYDFS) is overhauling its Cybersecurity Regulation, the first of its kind to codify technical and organizational cybersecurity best practices into binding regulation (the NYDFS Regulation).  The proposed amendments,[10] for which the public comment period concludes January 9, 2023, contain significant revisions designed to mandate preventative measures to address common attack vectors and enhance cybersecurity governance for public companies and other covered entities, bringing more formality and uniformity to the assessment of and response to a covered entity’s bespoke cybersecurity risks.  Most notably, the proposed amendments (i) contain robust board accountability and governance requirements, such as increased oversight by a covered entity’s senior governing body, (ii) create a new, distinct category of regulated firms (i.e., entities that are larger, more complex and assumed to have more resources available to address cybersecurity risks) and (iii) provide an alternative avenue for covered entities to provide acknowledgements of noncompliance in place of the current annual certification requirement (that does not have an option of admitting any non-compliance).  Once the amendments are finalized and adopted, covered entities will have 180 days to become compliant with most provisions in the revised NYDFS Regulation, subject to certain exceptions as detailed therein.

EU / UK Privacy Developments

  • New EU-U.S. Data Privacy Framework Proposed.  After over two years of detailed negotiations, in March, a new EU-U.S. Data Privacy Framework (the Framework) was agreed in principle kickstarting a process to establish a new mechanism to legitimize cross-border transfers of personal data from the EU to the U.S.  To implement its commitments under the Framework, in October, President Biden signed an Executive Order in October on Enhancing Safeguards for United States Signals Intelligence Activities (the Executive Order),[11] prompting the European Commission (EC) to formally launch the process to adopt an adequacy decision based on the Executive Order in December.[12]  The formal adoption process is expected to take several months, with the final text likely to be published around April 2023; however, certain critics and privacy advocacy groups have already publicly challenged the validity of this new adequacy decision, believing it may once again be invalidated before the Court of Justice European Union.[13]
  • Cyber Resilience Act Proposal.  In September, the EC published its proposal for a new regulation setting forth cybersecurity-related requirements for products with “digital elements,” known as the proposed Cyber Resilience Act,[14] which is expected to be adopted into law by 2025.  The proposal mandates that manufacturers (i) ensure that products placed on the EU market are secure, (ii) will remain responsible for cyber security throughout a product’s life cycle, (iii) notify users of any actively exploited vulnerabilities or incidents that have an impact on the cybersecurity of their products and (iv) monitor, disclose and address vulnerabilities in respect of their product suite (including any components they source from third parties).  Further, manufacturers, and in some instances, distributors or importers of products, must provide security updates and support for a reasonable period of time as well as end-of-life information to relevant users.  Given that products that fall within the scope of the proposal might have long manufacturing runs, or might be embedded in other hardware and software as components, manufacturers covered by the Cyber Resilience Act may be exposed to a long tail of supply chain issues.
  • Regulation on the European Health Data Space.  In May, the EC published its proposal for a regulation on the “European Health Data Space.”  The proposed regulation strives to create a “European Health Union” by strengthening individuals’ access to and portability of their electronic health data and allowing innovators and researchers to process this data through reliable and secure mechanisms.[15]  In particular, from a privacy perspective, the proposed regulation aims to define individuals’ electronic health data rights (including, for instance, restricting healthcare professionals’ access to all or part of their electronic health data), but simultaneously making it less burdensome for entities to use electronic health data for research, innovation and policymaking purposes.[16]  While this proposed regulation is still under discussion before the European Council and is not expected to be adopted until the end of 2024, it may bring about additional changes to the regulatory landscape surrounding the processing of health data.
  • Transfers of Personal Data from the UK After Brexit.  In March, the UK’s Information Commissioner’s Office published its International Data Transfer Agreement (UK IDTA) and UK Addendum as valid transfer mechanisms under the UK’s General Data Protection Regulation (GDPR),[17] replacing the old standard contractual clauses (old SCCs) issued by the EC.  Organizations that are subject to the UK GDPR will have to adapt their existing contractual arrangements to incorporate the UK IDTA and/or the UK Addendum.  Contracts signed on or before September 21, 2022 can continue to use the old SCCs until March 21, 2024, after which the old SCCs must be replaced by either the IDTA or the Addendum in conjunction with the new standard contractual clauses that the EC issued in 2021 (new SCCs) to replace the old SCCs.  All contracts signed after September 21, 2022 must use either the IDTA or the UK Addendum in conjunction with the new SCCs.
  • UK Government’s Consultation to Reform the UK GDPR.  The future of the data protection regulatory landscape in the UK remains unclear.  In July, the UK government put forth a Data Protection and Digital Information Bill intended to revise the current UK GDPR framework without radically changing the core principles and obligations of organizations.  However, in October, the UK’s Department for Digital, Culture, Media and Sport announced that the UK is now intending to introduce more significant changes and to replace the UK GDPR “with [a] business and consumer-friendly, British data protection system.”  This may result in the UK having a data protection regime that imposes relatively less onerous data privacy obligations for businesses as compared to the EU GDPR, which may affect the adequacy decision the EC adopted in respect of the UK in 2021 allowing for the free-flow of data between the UK and the EU.[18]  In addition, UK businesses operating in the EU may soon need to comply with two different sets of privacy laws.

Key Takeaways

  • Organizations must stay abreast of new and modified compliance obligations as regulators continue to introduce and amend privacy and data protection laws to account for increasing risks.
  • To the extent actions have not been taken to date, organizations must prioritize and take steps to determine which current laws and regulations apply to their business and implement a compliance strategy to satisfy data privacy- and protection-related obligations.
  • Businesses that process sensitive data (e.g., children’s data, biometric information or health-related data) or that otherwise engage in high-risk processing activities heavily scrutinized by regulators (e.g., cross-border data transfers, use of data for cross-context behavioral and targeted advertising), must be keenly aware of the bespoke risks that arise in connection with these collection and processing activities and, consequently, the related compliance obligations, to ensure protection of such data assets and insulate against liability that may result from high-risk processing.

[1] The full text of the CPRA can be found here.

[2] A current draft of the Draft Regulations can be found here.

[3] The full text of the UCPA is available here.

[4] The full text of the CDPA is available here.

[5] The full text of the revised version of the ADPPA can be found here.

[6] For example, in December, the United States Federal Trade Commission’s (FTC) entered into two record-breaking settlements totaling over $520 million with Epic Games, Inc., the video game publisher behind the popular online multiplayer game Fortnite, over alleged violations of the Children’s Online Privacy Protection Act and use of “dark patterns” to deceive players into making unwanted, in-game purchases. For additional information, see our December blog post available here.

[7] Carve-outs exist for online services, products and features including broadband internet access services, telecommunications services and delivery or use of a physical product, such as connected devices.

[8] The UK recently began enforcement of its own Age-Appropriate Design Code in September of 2021.

[9] See, e.g., New York’s “Child Data Privacy and Protection Act” and New Jersey’s proposed bill to create the New Jersey “Children’s Data Protection Commission.”

[10] A copy of the proposed amendments can be found here.

[11] A copy of Executive Order can be found here. A copy of the fact sheet published by the White House can be found here.

[12] A copy of the draft adequacy decision can be found here.

[13] Our previous coverage of the announcement of the Framework, the Executive Order and the draft adequacy decision can be found in our blog posts available here, here and here, respectively.

[14] The full text of the proposal can be found here.

[15] For more information, please see our alert memorandum on the European Health Data Space, available here.

[16] Note that, in response to the EC’s proposal, the European Data Protection Board and the European Data Protection Supervisory issued a Joint Opinion in July, expressing a range of concerns with the proposed regulation, including some aspects that may have a weakening effect on data subjects’ rights and protections under the GDPR.

[17] A copy of the IDTA and UK Addendum can be found here.

[18] A copy of the EU’s adequacy decision in respect of the UK can be found here.