The Bottom Line
- As new state privacy laws go into effect in 2023, companies need to ensure compliance with an ever growing list of obligations.
- Expect regulators to keep cracking down on dark patterns and privacy violations, including noncompliance with these new privacy laws.
Privacy laws and enforcement will see some big changes in 2023. Last year brought more state laws and regulations, as well as FTC and GDPR developments — and that focus on privacy is expected to continue throughout the new year… and even expand.
Top Five Privacy Issues for 2023:
1. CCPA/CPRA Enforcement Begins
The California Consumer Privacy Act (CCPA) was ground-breaking as the nation’s first comprehensive consumer privacy law. Although the law took effect on January 1, 2020, the first public CCPA enforcement action was just announced in August 2022. While the $1.2 million fine levied against Sephora was the first, it most certainly won’t be the last. The California Privacy Rights Act (CPRA), a/k/a “CCPA 2.0,” took effect on January 1, 2023 and establishes the new California Privacy Protection Agency (CPPA). The CPPA is gearing up and will be the nation’s first stand-alone privacy regulatory agency. The CPPA is expected to be active in 2023 and beyond in enforcing California’s privacy laws.
2. Preparing for New State Privacy Laws
In the absence of a comprehensive privacy law at the federal level, individual U.S. states are taking up the task of drafting their own legislation. In addition to the CPRA, four other state laws will take effect in 2023:
- The Virginia Consumer Data Protection Act (January 1)
- The Colorado Privacy Act (July 1)
- Connecticut’s “An Act Concerning Personal Data Privacy and Online Monitoring” (July 1)
- The Utah Consumer Privacy Act (December 31)
All five state laws will, among other features: provide consumers with rights regarding their data (including the right to opt out of targeted advertising), set restrictions on the collection and processing of “sensitive” personal information and require written contracts with data processors/service providers. Companies will need to build upon existing U.S. compliance efforts to meet all these new privacy obligations.
3. Ad tech Industry Responds to New Privacy Laws
Companies throughout the ad tech ecosystem are reckoning with the new state privacy laws that have or will come into effect in 2023. Although the laws in Colorado, Connecticut, Virginia and Utah are new, companies already in compliance with California’s existing privacy laws may find they are reasonably well positioned to comply with these new statutes.
However, California has now made significant changes to its own privacy laws, as mentioned above. As a result, many ad tech players will no longer qualify as “service providers” under revised California privacy laws, resulting in the loss of a number of “safe harbor” protections that come with that designation. Instead, most will be treated by California as “third parties” — and possibly even as “businesses.” In either case, compliance obligations will likely be far more challenging in California, particularly if the ad tech companies are involved in targeted advertising or measurement activities.
Some industry initiatives, including one by the Interactive Advertising Bureau (IAB), are attempting to address the compliance issues that will arise. However, in other cases, ad tech companies should be prepared to customize their own responses to these changes based on their specific role in the ecosystem and the level of their previous compliance efforts.
4. FTC Enforcement Addresses Dark Patterns and Protecting Minors
The appointment of a new FTC commissioner in 2022 saw an increased focus on privacy enforcement and its recent track record indicates that the Commission is heading into 2023 with an active agenda. In September, the FTC released a staff report highlighting how companies are increasingly using sophisticated design practices known as “dark patterns” to trick or manipulate consumers into buying products or services or giving up privacy rights. The report further discussed the FTC’s efforts to combat the use of dark patterns and its plans to protect consumers against these deceptive practices.
Significant enforcement actions followed the staff report, with the FTC reaching a $520 million dollar settlement with a video game maker for Children’s Online Privacy Protection Rule (COPPA) violations and the unfair use of dark patterns. The Commission is intent on aggressive enforcement of personal data processing for children 13 and younger and is also focused on the effect of companies’ data practices on teenagers. This all may be foreshadowing how minors’ personal data may be collected and processed when California’s Age Appropriate Design Code takes effect in 2024.
A long-awaited federal privacy statute, which would grant the FTC new rulemaking powers as its primary enforcer, would also be a major development for its privacy authority if enacted. While the American Data Privacy and Protection Act (ADPPA) received bi-partisan support in the House Energy and Commerce Committee in the last Congress, uncertainty remains as to whether it can pass muster in the Senate and the new Congress. Nevertheless, businesses can expect to see more aggressive FTC enforcement actions in 2023 and should be prepared for the prospect of increased scrutiny surrounding online risks posed to children, algorithmic discrimination and data practices involving emerging technologies.
5. EU Cookies and Behavioral Advertising
Cookies are crumbling in the European Union, bringing widespread changes to the behavioral advertising ecosystem. In 2022, yet another shift occurred — a European regulator invalidated a key consent management platform, known as the Transparency & Consent Framework (TCF) that the advertising ecosystem relied on to engage in behavioral advertising. The IAB Europe, while awaiting a final decision on the issue, will need to modify the TCF or create a new solution that enables behavioral advertising in a GDPR-compliant fashion. 2023 will hopefully bring more certainty to the commonly used TCF framework, and to the behavioral ad industry in the EU more generally.