2023 Privacy Law Updates That Your Business Needs to Know

By Elliot Brake, and Kevan Lee Deckelmann

2023 is poised to be a significant year in privacy law, with changes happening at the state, national, and international level. Here’s what companies need to know about privacy law expectations on consumer data going into the New Year.

New state privacy laws add changes that will impact businesses

In 2023, four new state privacy laws will come into effect: the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act on January 1, and the newly passed Connecticut Data Privacy Act and the Colorado Privacy Act become operative on July 1.

Of note, the California Law (CPRA) will have the earliest, greatest implications for companies, and will supplant the current California Consumer Privacy Act (CCPA). The new CPRA has 2 aspects of particular concern to businesses:

1. Removal of the 30-day notice and cure period for violations.
2. Broadening of the circumstances in which the law’s $7,500 per violation fine will apply.

Fortunately, modified proposed regulations for the CPRA were recently released and feature simplified disclosure requirements as well as guidance for the collection and processing of sensitive consumer data that, if approved, would provide helpful clarification to covered businesses.

State privacy laws come down on major companies, Sephora and Samsung

Although the CCPA (which initially lacked enforcement) will soon be supplanted by the CPRA, the California Attorney General has shown that it intends to exercise its authority under the law. Last month, Sephora was the recipient of the first CCPA enforcement action that resulted in $1.2 million in assessed penalties in addition to injunctive relief. Sephora failed to disclose to its consumers that personal information, such as online purchases, was sold to third parties for targeted advertising purposes. Despite a 30-day notice and cure period (which will be removed with the new Act), Sephora was unable to bring its data collection practices into compliance.

Additionally, the Illinois Biometric Information Privacy Act (BIPA) continues to be a major source of private, consumer-led litigation against companies that collect biometric data: 50,000 Samsung phone users are currently seeking arbitration against Samsung for allegations that the company unlawfully used facial recognition technology.

Otherwise, the state privacy law landscape remained quiet over the summer as several state legislatures hit the pause button on consumer privacy laws.

Nationally, American Data Privacy and Protection Act slow on progress

At the federal level, the American Data Privacy and Protection Act, which aims to restrict the collection and use of consumer data and would preempt similar state laws, continues to make its way through the House but is unlikely to see further progress until next year. The Federal Trade Commission (FTC) continues to receive public comments in response to its proposed rulemaking directed at hot button privacy issues like targeted advertising, biometrics, and protections for children, but has been described by critics as overly broad and exceeding the FTC’s rule-making authority.

Internationally, President Biden makes progress on EU-U.S. data privacy framework

In international privacy news, President Biden approved regulations and commitments for implementing the new EU-U.S. Data Privacy Framework that was announced in March. The new framework will govern how U.S. intelligence agencies handle the personal data of EU residents, aiming to facilitate increased transatlantic data flow after the older Privacy Shield was struck down in 2020.

Bernstein Shur’s Media & Marketing Practice Group helps businesses navigate changes to privacy law and provides counsel on how these changes will impact you and your business.