The Ways Privacy Completely Changed in 2023
In the last year, privacy bills and regulations boomed across almost every US state, affecting nearly every sector of the economy, while internationally, countries continue to build and enforce their own privacy obligations. In 2023 alone, 7 states passed comprehensive privacy laws, each with their own requirements, more than doubling the amount of states that have comprehensive laws. A comprehensive bill is broader in its significance and scope than smaller, more specific or limited bills. But, every US state already has, or introduced in 2023, these type sector-specific privacy requirements, ranging from healthcare data, biometric data, and youth privacy. More bills are being introduced consistently; the trend does not seem to be slowing. AI regulation fell under 10 states’ comprehensive privacy laws this past session, and continues to be a growing impetus behind privacy regulation. However, differing requirements across state borders create an increasingly complex compliance problem.
Even the Federal government has begun to realize the importance of privacy as AI dominates the policy conversations of Congress. In a single Congressional session, 27 bills directly governing privacy were introduced. Similarly, Presidency orders on regulating cybersecurity, as well as significant updated compliance requirements from agencies like the Federal Trade Commission and the Securities and Exchange Commission, all form a complex and dynamic system of legal requirements.
Across the globe, only 18% of UN Member States have neither a data privacy law nor a privacy bill in progress. Though the number of international data and privacy laws has steadily grown since 2012, the number has rapidly increased since 2021. Several key international actors, such as Jordan and India, enacted their first national privacy and data protection laws, while still others were introduced and took effect. The EU continues to regulate and provide guidance for the GDPR. Similarly, the data bridge triangulating between the US, UK, and the EU’s data transfers finalized and created new rights and obligations for all parties.
As both the national and international ecosystem continues to develop privacy and data protection laws at a dizzying pace, it can be difficult to predict and maintain compliance. Privacy law is often compared to a “patchwork”, composed of many (sometimes clashing) responsibilities for any entity that deals with data, regardless of what type.
United States Comprehensive Privacy Bills in 2023
Took Effect | Enacted | Introduced (Active) |
Most provisions of the California Privacy Rights Act (CPRA) + California Delete Act (CDA) | Iowa’s Act Relating to Consumer Data Protection (ICDPA) | Maine: “An Act to Create the Data Privacy and Protection Act” (LD 1977) |
The Colorado Privacy Act (CPA) | Indiana’s Consumer Data Protection Act (INCDPA) | Massachusetts: “To establish the Massachusetts data privacy protection act” (MA H83) |
The Connecticut Data Privacy Act (CDPA) | Montana’s Consumer Data Privacy Act (MTCDPA) | New Hampshire: |
The Utah Consumer Privacy Act (UCPA) | Texas’ Data Privacy and Security Act (TDPSA) | New Jersey (S332) |
The Virginia Consumer Data Privacy Act (VCDPA) | Tennessee’s Information Protection Act (TIPA). | North Carolina “An Act To Protect Consumers by Enacting the Consumer Privacy Act of North Carolina.” (SB 525) |
Oregon Consumer Privacy Act (OCPA) | Pennsylvania ((HB 708) | |
Wisconsin (AB 466) |
* Note: Florida also passed its Digital Bill of Rights in 2023. Though it is the state’s landmark privacy law, it is not considered to be “comprehensive.”
Enforcement Actions You Should Care About
- In a long-awaited clarifying ruling in Cothron v. White Castle System, Inc., the highest court in Illinois upheld and applied the state’s landmark biometric privacy law. The court found, according to the language of the state law, that every single time that biometric data was collected without consent constituted a violation, not just the first time that it occurs for a single user. Under Illinois law, violations can aggregate quickly for a single entity that fails to collect under consent. Though the court declined to rule on appropriate damages, the cost of these violations is steep. Under statute, negligent (unintentional) violations start at $1,000, and intentional or reckless damages start at $5,000.
- For the first time, the EEOC sued based on algorithmic discrimination in hiring procedures. The agency found that three tutoring companies (operating as one group) used an AI system that automatically rejected older applicants based on their age, a violation of federal law. In the settlement, the company group agreed to pay $365,000 and furnish other relief to the injured parties.
- At the federal level, the Federal Trade Commission had an incredibly active year of litigation against some of the largest tech giants. In 2023, Amazon was the subject of several complaints and investigations, one of which relates to the retailer’s dark pattern usage to trick consumers into using Amazon’s Prime services. Similarly, Publisher’s Clearing House’s dark pattern usage is going to cost them $18.5 million, according to an FTC court order.
The FTC definition of “dark patterns” has been incorporated into several state’s privacy laws, including Florida and Connecticut. Because these laws either have yet to take effect, or only just recently took effect, there have been no charges brought yet under these dark pattern definitions. However, with such strong examples of enforcement by the FTC, it can be anticipated that it is only a matter of time.