Data Privacy Day 2023: Global Trends as the US Falls Behind

Data Privacy Day, held on January 28th each year, is an international effort to bring stakeholders across the privacy sector together to increase awareness of data privacy and personal information protection issues among consumers, organizations, and government groups alike.  In celebration of Data Privacy Day 2023, we wanted to take stock of the current regulatory landscape globally, and share some thoughts on what we think should be on your compliance radar for the coming year.

Unites States

2023 marks a big year in state privacy legislation.  At the turn of the New Year, California’s CPRA went into effect, even without finalized regulations.  Additionally, Virginia’s VCDPA went into effect on January 1.  Colorado and Connecticut’s privacy laws will take force on July 1 and Utah’s privacy law will go live on December 31 this year.  Regarding business obligations, California remains the strictest privacy law among the states, and discussions continue regarding CPRA regulations around issues like how to address employee data and meaningful consent. So the dust hasn’t settled just yet on what will be required of businesses for compliance.

Global

Globally, as new national laws develop, the rest of the world is trending toward GDPR style opt-in consent models as opposed to the U.S “opt out” regime.  This is most evident in Australia, where the Attorney General recently signaled he will work to revamp Australian privacy law to further align with the European model.  Currently, Australia follows the U.S. “opt-out” approach, offers fewer data subject rights than the GDPR and many other privacy regulations around the world, and does not have a path to an adequacy agreement with the European Union. 

On a related note, EU member states have continued to fine American big tech companies for privacy violations, with significant figures. Meta received a $410 million slap on the wrist for illegally forcing users to accept personalized ads in its Terms and Conditions.  This opens a fundamental question for how big tech will try to get around fines in the law, as adding acceptance to personalized ads in a Terms and Conditions click-wrap under American law would land Meta in basic contract law, not privacy law.  The Europeans however made clear that this is still a privacy issue and does not assent to meaningful consent for tracking and personalized advertisements, which will fundamentally change how big tech companies seek legal loopholes to avoid privacy infractions.  Meta puts money aside each year to pay fines like these as a business cost, not necessarily as a fine, and a recent decline in profits for the company, coupled with big tech layoffs across the sector begs the question: will companies finally be forced to fall in line as the economic implications continue to spiral? It will certainly be very interesting to see how this plays out over the coming months.

Conclusions

Observations from the past year and emerging trends early into 2023 suggest a couple of things: (1) U.S. privacy law as it stands within the “opt out” model has fallen behind privacy law developments with the rest of the globe.  Any further state or federal law development not in alignment with the European approach may be rendered irrelevant by global companies seeking a universal privacy policy and approach for efficiency’s sake.  (2) Many companies operate globally and are therefore legally obligated to follow various applicable laws based on the regions in which they operate, but a jurisdiction-by-jurisdiction approach is unwieldy to set up, operate and administer, leading many companies to attempt to design and operate a “universal approach”.  Getting this right can be challenging, as this tack requires companies to generally align with the European “opt-in” model, (often considered the strictest regime, or “highest bar” but still comply with specific, unique requirements of various international laws.  A big benefit however, once the initial capital expense and lift is accomplished, is reduced long-term administrative lift. For organizations with a heavy business to customer or “B to C” operation, applying the same rules and offering the same rights to all customers is worth the effort from customer service, public relations and brand value proposition standpoints. Overall, these trends signal Europe as a continuing trailblazer in the  space, with the U.S. fading fast in the rear view mirror.

To learn more about how Myna Partners can help with your risk analysis and data stewardship challenges, contact Dave Cohen, Director at:dave.cohen@levelupconsult.com